Warning: file_get_contents(/data/phpspider/zhask/data//catemap/4/json/13.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Logstash 如何匹配几种可能的日志事件格式?_Logstash_Grok_Logstash Grok - Fatal编程技术网
Fatal编程技术网
  • logstash/
  • Logstash 如何匹配几种可能的日志事件格式?

Logstash 如何匹配几种可能的日志事件格式?

logstash

Logstash 如何匹配几种可能的日志事件格式?,logstash,grok,logstash-grok,Logstash,Grok,Logstash Grok,我有来自一个日志源的事件,它可以有几种已知的格式。例如 10:45 Today is Monday 11:13 The weather is nice 12:00 The weather is cloudy 我可以通过 The weather is %{WORD:weather} Today is %{WORD:weekday} 我还不习惯logstash过滤器的格式。为了解释每一种可能性,我是否应该构建类似 if message =~ "The weather is" { grok

我有来自一个日志源的事件,它可以有几种已知的格式。例如

10:45 Today is Monday
11:13 The weather is nice
12:00 The weather is cloudy
我可以通过

The weather is %{WORD:weather}
Today is %{WORD:weekday}
我还不习惯logstash
过滤器的格式。为了解释每一种可能性,我是否应该构建类似


if message =~ "The weather is"
{
    grok {
        "match" => "The weather is %{WORD:weather}"
    }
}
if message =~ "Today is"
{
    grok {
    "match" => "Today is %{WORD:weekday}"
    }
}



还是有更紧凑的?(例如,具有关联映射的事件的可能模式列表)
我找到了一个解决方案:枚举模式:


filter {
        grok {
                match =>  { "message" => [ "hello %{WORD:who}", "the weather is %{WORD:weather}" ] }

                }
      }