Logstash 我需要为下面的websphere日志定义grok grok模式
请帮助我为以下日志创建grok模式:Logstash 我需要为下面的websphere日志定义grok grok模式,logstash,logstash-grok,elk,Logstash,Logstash Grok,Elk,请帮助我为以下日志创建grok模式: { "sysdate":"[08/Jun/2019:00:00:12 -0400]", "site":"abcd.net", "host":"hostnam.net", "method":"POST", "request":"/services/path", "querystring":"", "port":"4123", "username":"-", "cookie":"0000k1cgki:1f:1bv8tat", "coauthsessionid":
{ "sysdate":"[08/Jun/2019:00:00:12 -0400]", "site":"abcd.net", "host":"hostnam.net", "method":"POST", "request":"/services/path", "querystring":"", "port":"4123", "username":"-", "cookie":"0000k1cgki:1f:1bv8tat", "coauthsessionid":"-", "clienthost":"44.25.14.241", "httpversion":"HTTP/1.1", "useragent":"-", "referer":"-", "responsestatus":"200", "subresponse":"0", "win32status":"0", "sbytes":"799", "cbytes":"0", "timetaken":"3595" }
试试这个:
输入:
{"sysdate":"[08/Jun/2019:00:00:12 -0400]","site":"abcd.net","host":"hostnam.net", "method":"POST", "request":"/services/path", "querystring":"", "port":"4123", "username":"-", "cookie":"0000k1cgki:1f:1bv8tat", "coauthsessionid":"-", "clienthost":"44.25.14.241", "httpversion":"HTTP/1.1", "useragent":"-", "referer":"-", "responsestatus":"200", "subresponse":"0", "win32status":"0", "sbytes":"799", "cbytes":"0", "timetaken":"3595"}
\{"sysdate":"%{GREEDYDATA:sysdate}","site":"%{GREEDYDATA:site}","host":"%{GREEDYDATA:host}", "method":"%{GREEDYDATA:method}", "request":"%{GREEDYDATA:request}", "querystring":"%{GREEDYDATA:querystring}", "port":"%{GREEDYDATA:port}", "username":"%{GREEDYDATA:username}", "cookie":"%{GREEDYDATA:cookie}", "coauthsessionid":"%{GREEDYDATA:coauthsessionid}", "clienthost":"%{GREEDYDATA:clienthost}", "httpversion":"%{GREEDYDATA:httpversion}", "useragent":"%{GREEDYDATA:useragent}", "referer":"%{GREEDYDATA:referer}", "responsestatus":"%{GREEDYDATA:responsestatus}", "subresponse":"%{GREEDYDATA:subresponse}", "win32status":"%{GREEDYDATA:win32status}", "sbytes":"%{GREEDYDATA:sbytes}", "cbytes":"%{GREEDYDATA:cbytes}", "timetaken":"%{GREEDYDATA:timetaken}"\}
{
"sysdate": [
[
"[08/Jun/2019:00:00:12 -0400]"
]
],
"site": [
[
"abcd.net"
]
],
"host": [
[
"hostnam.net"
]
],
"method": [
[
"POST"
]
],
"request": [
[
"/services/path"
]
],
"querystring": [
[
""
]
],
"port": [
[
"4123"
]
],
"username": [
[
"-"
]
],
"cookie": [
[
"0000k1cgki:1f:1bv8tat"
]
],
"coauthsessionid": [
[
"-"
]
],
"clienthost": [
[
"44.25.14.241"
]
],
"httpversion": [
[
"HTTP/1.1"
]
],
"useragent": [
[
"-"
]
],
"referer": [
[
"-"
]
],
"responsestatus": [
[
"200"
]
],
"subresponse": [
[
"0"
]
],
"win32status": [
[
"0"
]
],
"sbytes": [
[
"799"
]
],
"cbytes": [
[
"0"
]
],
"timetaken": [
[
"3595"
]
]
}
GROK模式:
{"sysdate":"[08/Jun/2019:00:00:12 -0400]","site":"abcd.net","host":"hostnam.net", "method":"POST", "request":"/services/path", "querystring":"", "port":"4123", "username":"-", "cookie":"0000k1cgki:1f:1bv8tat", "coauthsessionid":"-", "clienthost":"44.25.14.241", "httpversion":"HTTP/1.1", "useragent":"-", "referer":"-", "responsestatus":"200", "subresponse":"0", "win32status":"0", "sbytes":"799", "cbytes":"0", "timetaken":"3595"}
\{"sysdate":"%{GREEDYDATA:sysdate}","site":"%{GREEDYDATA:site}","host":"%{GREEDYDATA:host}", "method":"%{GREEDYDATA:method}", "request":"%{GREEDYDATA:request}", "querystring":"%{GREEDYDATA:querystring}", "port":"%{GREEDYDATA:port}", "username":"%{GREEDYDATA:username}", "cookie":"%{GREEDYDATA:cookie}", "coauthsessionid":"%{GREEDYDATA:coauthsessionid}", "clienthost":"%{GREEDYDATA:clienthost}", "httpversion":"%{GREEDYDATA:httpversion}", "useragent":"%{GREEDYDATA:useragent}", "referer":"%{GREEDYDATA:referer}", "responsestatus":"%{GREEDYDATA:responsestatus}", "subresponse":"%{GREEDYDATA:subresponse}", "win32status":"%{GREEDYDATA:win32status}", "sbytes":"%{GREEDYDATA:sbytes}", "cbytes":"%{GREEDYDATA:cbytes}", "timetaken":"%{GREEDYDATA:timetaken}"\}
{
"sysdate": [
[
"[08/Jun/2019:00:00:12 -0400]"
]
],
"site": [
[
"abcd.net"
]
],
"host": [
[
"hostnam.net"
]
],
"method": [
[
"POST"
]
],
"request": [
[
"/services/path"
]
],
"querystring": [
[
""
]
],
"port": [
[
"4123"
]
],
"username": [
[
"-"
]
],
"cookie": [
[
"0000k1cgki:1f:1bv8tat"
]
],
"coauthsessionid": [
[
"-"
]
],
"clienthost": [
[
"44.25.14.241"
]
],
"httpversion": [
[
"HTTP/1.1"
]
],
"useragent": [
[
"-"
]
],
"referer": [
[
"-"
]
],
"responsestatus": [
[
"200"
]
],
"subresponse": [
[
"0"
]
],
"win32status": [
[
"0"
]
],
"sbytes": [
[
"799"
]
],
"cbytes": [
[
"0"
]
],
"timetaken": [
[
"3595"
]
]
}
输出:
{"sysdate":"[08/Jun/2019:00:00:12 -0400]","site":"abcd.net","host":"hostnam.net", "method":"POST", "request":"/services/path", "querystring":"", "port":"4123", "username":"-", "cookie":"0000k1cgki:1f:1bv8tat", "coauthsessionid":"-", "clienthost":"44.25.14.241", "httpversion":"HTTP/1.1", "useragent":"-", "referer":"-", "responsestatus":"200", "subresponse":"0", "win32status":"0", "sbytes":"799", "cbytes":"0", "timetaken":"3595"}
\{"sysdate":"%{GREEDYDATA:sysdate}","site":"%{GREEDYDATA:site}","host":"%{GREEDYDATA:host}", "method":"%{GREEDYDATA:method}", "request":"%{GREEDYDATA:request}", "querystring":"%{GREEDYDATA:querystring}", "port":"%{GREEDYDATA:port}", "username":"%{GREEDYDATA:username}", "cookie":"%{GREEDYDATA:cookie}", "coauthsessionid":"%{GREEDYDATA:coauthsessionid}", "clienthost":"%{GREEDYDATA:clienthost}", "httpversion":"%{GREEDYDATA:httpversion}", "useragent":"%{GREEDYDATA:useragent}", "referer":"%{GREEDYDATA:referer}", "responsestatus":"%{GREEDYDATA:responsestatus}", "subresponse":"%{GREEDYDATA:subresponse}", "win32status":"%{GREEDYDATA:win32status}", "sbytes":"%{GREEDYDATA:sbytes}", "cbytes":"%{GREEDYDATA:cbytes}", "timetaken":"%{GREEDYDATA:timetaken}"\}
{
"sysdate": [
[
"[08/Jun/2019:00:00:12 -0400]"
]
],
"site": [
[
"abcd.net"
]
],
"host": [
[
"hostnam.net"
]
],
"method": [
[
"POST"
]
],
"request": [
[
"/services/path"
]
],
"querystring": [
[
""
]
],
"port": [
[
"4123"
]
],
"username": [
[
"-"
]
],
"cookie": [
[
"0000k1cgki:1f:1bv8tat"
]
],
"coauthsessionid": [
[
"-"
]
],
"clienthost": [
[
"44.25.14.241"
]
],
"httpversion": [
[
"HTTP/1.1"
]
],
"useragent": [
[
"-"
]
],
"referer": [
[
"-"
]
],
"responsestatus": [
[
"200"
]
],
"subresponse": [
[
"0"
]
],
"win32status": [
[
"0"
]
],
"sbytes": [
[
"799"
]
],
"cbytes": [
[
"0"
]
],
"timetaken": [
[
"3595"
]
]
}
您可以用于grok编写。您可以直接将json格式发送到Logstash或ES。你想用
grok
模式做什么?您想要获取的任何特定字段或值,或者只是其中的每个字段?数据似乎是JSON格式的,我认为这是一个糟糕的解决方案,因为它会在输入的第一次更改时中断。更好的做法是使用json过滤器,因为它是有效的json。但是OP要求为给定的json提供一个grok模式。所以我认为这个答案和OP的要求是一致的。你应该在问题评论部分给OP提建议。