用于ping的Logstash Grok图案
我从日志中获取了以下示例:用于ping的Logstash Grok图案,logstash,logstash-grok,logstash-configuration,Logstash,Logstash Grok,Logstash Configuration,我从日志中获取了以下示例: Tue Mar 27 06:51:48 2018 PING www.google.com (172.217.169.100) 56(84) bytes of data. 64 bytes from sof02s31-in-f4.1e100.net (172.217.169.100): icmp_seq=1 ttl=128 time=17.4 ms --- www.google.com ping statistics --- 1 packets transmitted
Tue Mar 27 06:51:48 2018 PING www.google.com (172.217.169.100) 56(84) bytes of data.
64 bytes from sof02s31-in-f4.1e100.net (172.217.169.100): icmp_seq=1 ttl=128 time=17.4 ms
--- www.google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 17.482/17.482/17.482/0.000 ms
TIMESTAMPIPV4TTLRTTmin/avg/max谢谢如果您使用
Oniguruma语法新行\n(?(.|\r |\n)*)%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR} %{WORD:PING} %{HOSTNAME:host} \(%{IP:ip_address}\) %{DATA} ttl=%{INT:TTL}(?<newline>(.|\r|\n)*)rtt min/avg/max/mdev = %{NUMBER:min}/%{NUMBER:avg}/%{NUMBER:max}/%{NUMBER:mdev} ms
您可以使用像
(?(.|\r |\n)*)这样的自定义模式来转义两行之间的空格。{
"DAY": [
[
"Tue"
]
],
"MONTH": [
[
"Mar"
]
],
"MONTHDAY": [
[
"27"
]
],
"TIME": [
[
"06:51:48"
]
],
"HOUR": [
[
"06"
]
],
"MINUTE": [
[
"51"
]
],
"SECOND": [
[
"48"
]
],
"YEAR": [
[
"2018"
]
],
"PING": [
[
"PING"
]
],
"host": [
[
"www.google.com"
]
],
"ip_address": [
[
"172.217.169.100"
]
],
"IPV6": [
[
null
]
],
"IPV4": [
[
"172.217.169.100"
]
],
"DATA": [
[
"56(84) bytes of data. 64 bytes from sof02s31-in-f4.1e100.net (172.217.169.100): icmp_seq=1"
]
],
"TTL": [
[
"128"
]
],
"newline": [
[
" time=17.4 ms\n\n--- www.google.com ping statistics ---\n1 packets transmitted, 1 received, 0% packet loss, time 0ms\n"
]
],
"min": [
[
"17.482"
]
],
"BASE10NUM": [
[
"17.482",
"17.482",
"17.482",
"0.000"
]
],
"avg": [
[
"17.482"
]
],
"max": [
[
"17.482"
]
],
"mdev": [
[
"0.000"
]
]
}