我编写了一个grok模式来将大块消息放入单个字段中。现在我想放入不同的grok来从该字段中提取数据。
First Grok:
grok {
match => { "message" => "%{WORD:ThreadNo}: %{NOTSPACE:tNumber}, %{GREEDYDATA:Info}" }
}
在Info字段中,我捕获了一个原始数据,即
"tNumber" => "t@-1686439616",
"ThreadNo" => "3",
"Info" => "<Start Stack Trace> <1 - ADK Verbose Trace Entry> stateless dispatch for invokeClass.bosInterface executing Active: 1 minute 49.00 seconds User: s-plmv6intp Tenant: Session: 2FF1BFBFCC010E7815678741BB95907F:mx115420087975768b5:(WebServiceFacade.java:84) Parameters: bosContext _cntx: user: User Agent depth: 2 session id: 2FF1BFBFCC010E7815678741BB95907F:mx115420087975768b5:(WebServiceFacade.java:84) bosStringList _params: 2 entries $$MXRIP$$java.util.HashMap 6 uint8 _local: 1",
现在如果我想写另一个grok从Info提取数据字段。我怎样才能做到呢?谢谢。
如果您想使用第二个grok,则使用第二个grok过滤器。不要尝试在一个grok过滤器中进行两个匹配。理论上它是支持的,但很容易出错。下面的配置
input { generator { count => 1 lines => [ 't@-1686439616: 3, <Start Stack Trace> <1 - ADK Verbose Trace Entry> stateless dispatch for invokeClass.bosInterface executing Active: 1 minute 49.00 seconds User: s-plmv6intp Tenant: Session: 2FF1BFBFCC010E7815678741BB95907F:mx115420087975768b5:(WebServiceFacade.java:84) Parameters: bosContext _cntx: user: User Agent depth: 2 session id: 2FF1BFBFCC010E7815678741BB95907F:mx115420087975768b5:(WebServiceFacade.java:84) bosStringList _params: 2 entries $$MXRIP$$java.util.HashMap 6 uint8 _local: 1' ] } }
filter {
grok { match => { "message" => "%{WORD:ThreadNo}: %{NOTSPACE:tNumber}, %{GREEDYDATA:Info}" } }
grok { match => { "Info" => "((.|r|n)*)Active: %{GREEDYDATA:Active}s*User:s*%{USER:UserInfo}" } }
}
output { stdout { codec => rubydebug { metadata => false } } }
在搜索结果
"ThreadNo" => "1686439616",
"tNumber" => "3",
"UserInfo" => "s-plmv6intp",
"Active" => "1 minute 49.00 seconds "
等。