获取logstash中grok中匹配的图案的名称
如果我有一个模式文件,其中包含一组正则表达式模式,如下所示获取logstash中grok中匹配的图案的名称,logstash,logstash-grok,grok,Logstash,Logstash Grok,Grok,如果我有一个模式文件,其中包含一组正则表达式模式,如下所示 A .*foo.* B .*bar.* C .*baz.* 我的grok过滤器如下所示: grok { patterns_dir => ["/location/of/patterns"] match => { "request" => [ "%{A}", "%{B}", "%{C}",] } } 有没有办法知道哪一个匹配。即语法的名称。我想用匹配变量的名称对文档进行注释,您通常要做的是命名匹配变量。其语
A .*foo.*
B .*bar.*
C .*baz.*
grok {
patterns_dir => ["/location/of/patterns"]
match => { "request" => [ "%{A}", "%{B}", "%{C}",]
}
}
有没有办法知道哪一个匹配。即语法的名称。我想用匹配变量的名称对文档进行注释,您通常要做的是命名匹配变量。其语法如下: (以你为例): 因此,您的grok的匹配项现在将命名为: A:A B:姓名B C:换个名字 所以在你的例子中,你可以根据模式来命名它们。那应该行得通 或者(我刚刚用grok debugger测试过),如果您不命名匹配的模式,它们将默认为模式的名称(我认为这是您想要的)。这样做的缺点是,如果重用模式,结果将是一个值数组 这是我运行的测试: 输入:
Caused by: com.my.application.IOException: null Caused by: com.my.application.IOException: null asd asd
{
"GREEDYDATA": [
[
" com.my.application.IOException: null Caused by: com.my.application.IOException",
" null asd asd"
]
]
}
{"a" : "b", "prefix_patterna" : "", "prefix_patternb" : "bla"}
{"a" : "b", "prefix_patterna" : "sd", "prefix_patternb" : ""}
前缀模式a前缀模式bruby {
code => "
toAdd = nil;
event.to_hash.each { |k,v|
if k.start_with?('prefix_') && v.to_s != ''
toAdd = k
end
}
if toAdd.to_s != ''
event['test'] = toAdd
end
"
}
Settings: Default pipeline workers: 8
Pipeline main started
{"a" : "b", "prefix_patterna" : "sd", "prefix_patternb" : ""}
{
"message" => "{\"a\" : \"b\", \"prefix_patterna\" : \"sd\", \"prefix_patternb\" : \"\"}",
"@version" => "1",
"@timestamp" => "2016-09-15T09:48:29.418Z",
"host" => "pandaadb",
"a" => "b",
"prefix_patterna" => "sd",
"prefix_patternb" => "",
"test" => "prefix_patterna"
}
{"a" : "b", "prefix_patterna" : "", "prefix_patternb" : "bla"}
{
"message" => "{\"a\" : \"b\", \"prefix_patterna\" : \"\", \"prefix_patternb\" : \"bla\"}",
"@version" => "1",
"@timestamp" => "2016-09-15T09:48:36.359Z",
"host" => "pandaadb",
"a" => "b",
"prefix_patterna" => "",
"prefix_patternb" => "bla",
"test" => "prefix_patternb"
}
可能有一些方法可以简化/调整这一点,但我不是专家(目前!)。每个grok有一个模式,带有add_标记。我希望一个字段能够将结果捕获到一个新字段中。e、 g,如果我们看上面的例子,如果我们有两个不同的输入:1)foo_too 2)boo_too模式:foo foo.*boo boo.*我希望输出中一个名为“too_type”的字段根据匹配的类型为“foo”或“boo”。您给出的示例也将使用FOO=FOO_,而不是具有匹配模式的公共字段名。示例“too_type”=foo如果一个匹配项是字段名,另一个匹配项是字段值,您可以使用mutate过滤器在事件上创建一个字段,并引用这两个字段。我关心的具体情况是各种模式的url请求,我想要一个req_类型的字段,用一些正则表达式来注释,这些正则表达式定义请求的类型是正确的-这可以通过ruby过滤器中的循环来解决,然而,你必须对你的名字有一个约定。基本上,每个匹配的模式都会加上前缀,如“mypattern{name}”。运行grok后,使用ruby过滤器迭代所有事件,并将类型设置为非空。您可以将grok匹配设置为可选,这样,当模式不存在时,就不会出现解析失败
ruby {
code => "
toAdd = nil;
event.to_hash.each { |k,v|
if k.start_with?('prefix_') && v.to_s != ''
toAdd = k
end
}
if toAdd.to_s != ''
event['test'] = toAdd
end
"
}
Settings: Default pipeline workers: 8
Pipeline main started
{"a" : "b", "prefix_patterna" : "sd", "prefix_patternb" : ""}
{
"message" => "{\"a\" : \"b\", \"prefix_patterna\" : \"sd\", \"prefix_patternb\" : \"\"}",
"@version" => "1",
"@timestamp" => "2016-09-15T09:48:29.418Z",
"host" => "pandaadb",
"a" => "b",
"prefix_patterna" => "sd",
"prefix_patternb" => "",
"test" => "prefix_patterna"
}
{"a" : "b", "prefix_patterna" : "", "prefix_patternb" : "bla"}
{
"message" => "{\"a\" : \"b\", \"prefix_patterna\" : \"\", \"prefix_patternb\" : \"bla\"}",
"@version" => "1",
"@timestamp" => "2016-09-15T09:48:36.359Z",
"host" => "pandaadb",
"a" => "b",
"prefix_patterna" => "",
"prefix_patternb" => "bla",
"test" => "prefix_patternb"
}
grok {
patterns_dir => ["/location/of/patterns"]
match => { "request" => "%{A}"
add_tag => [ "pattern_A" ]
add_field => { "pattern" => "A" } # another option
tag_on_failure => [ ] # prevent false failure tags
}
if ("pattern_A" not in [tags]) {
grok {
patterns_dir => ["/location/of/patterns"]
match => { "request" => "%{B}"
add_tag => [ "pattern_B" ]
tag_on_failure => [ ] # prevent false failure tags
}
}
if (["pattern_A","pattern_B"] not in [tags]) {
grok {
patterns_dir => ["/location/of/patterns"]
match => { "request" => "%{C}"
add_tag => [ "pattern_C" ]
}
}