小贝子编程

使用 grok 提取日志数据



我正在尝试使用日志行从日志文件中提取数据 grok.my 如下所示。

[Server 192.178.35.40] testweb.de 63.239.73.83 - - [19/Nov/2017:23:27:26 +0100] "GET /service/want/teaser2/Buk/ HTTP/1.1" 200 319 "-" "https://testweb.de/Suche/Buk/Bonn" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "65.259.77.67" 0

我期待这样的事情

server : 192.178.35.40
website : testweb.de
clientip : 63.239.73.83
timestamp:19/Nov/2017:23:27:26 +0100
method:GET
RESOURCE:/service/want/teaser2/Buk/ HTTP/1.1
RESPONCE:200
TIMETAKEN:319
USERAGENT:Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile 
Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
COOKIE:0

试穿 https://grokdebug.herokuapp.com/通过给出模式,

%{ip:SERVER}

并收到结果,但无法解析剩余数据

您期望如何仅使用单个模式来提取自己字段中的所有内容以进行匹配?

您需要单独匹配每个字段才能获得所需的输出。你能试试这个吗?

%{IPV4:server}] %{HOSTNAME:website} %{IPV4:client} - - [%{HTTPDATE:timestamp}] \"%{WORD:method} (?<resource>%{NOTSPACE} HTTP/%{NUMBER})\" %{NUMBER:response} %{NUMBER:TimeTaken} \"-\" \"%{URI}\" \"%{GREEDYDATA:useragent}).*%{NUMBER:cookie}

这将输出,

{
"server": [
[
"192.178.35.40"
]
],
"website": [
[
"testweb.de"
]
],
"client": [
[
"63.239.73.83"
]
],
"timestamp": [
[
"19/Nov/2017:23:27:26 +0100"
]
],
"MONTHDAY": [
[
"19"
]
],
"MONTH": [
[
"Nov"
]
],
"YEAR": [
[
"2017"
]
],
"TIME": [
[
"23:27:26"
]
],
"HOUR": [
[
"23"
]
],
"MINUTE": [
[
"27"
]
],
"SECOND": [
[
"26"
]
],
"INT": [
[
"+0100"
]
],
"method": [
[
"GET"
]
],
"resource": [
[
"/service/want/teaser2/Buk/ HTTP/1.1"
]
],
"NOTSPACE": [
[
"/service/want/teaser2/Buk/"
]
],
"NUMBER": [
[
"1.1"
]
],
"BASE10NUM": [
[
"1.1",
"200",
"319",
"0"
]
],
"response": [
[
"200"
]
],
"TimeTaken": [
[
"319"
]
],
"URI": [
[
"https://testweb.de/Suche/Buk/Bonn"
]
],
"URIPROTO": [
[
"https"
]
],
"USER": [
[
null
]
],
"USERNAME": [
[
null
]
],
"URIHOST": [
[
"testweb.de"
]
],
"IPORHOST": [
[
"testweb.de"
]
],
"HOSTNAME": [
[
"testweb.de"
]
],
"IP": [
[
null
]
],
"IPV6": [
[
null
]
],
"IPV4": [
[
null
]
],
"port": [
[
null
]
],
"URIPATHPARAM": [
[
"/Suche/Buk/Bonn"
]
],
"URIPATH": [
[
"/Suche/Buk/Bonn"
]
],
"URIPARAM": [
[
null
]
],
"useragent": [
[
"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html"
]
],
"cookie": [
[
"0"
]
]
}

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium