我正在尝试编写一个 Grok 过滤器来解析 logstash 中的 WSO2 日志。我能够映射所有必需的属性。但是在一个属性中,我们需要删除 10 个数字字符。
有人可以告诉我如何在 Grok 模式中做到这一点。
例-在下面:
"context": [
[
"/app/custManagement/v2/customer/lookup/9999999999"
]
预期:
"context": [
[
"/app/custManagement/v2/customer/lookup/"
]
WSO2 日志:
TID: [-1234] [] [2020-05-11 15:20:16,803] INFO {org.apache.synapse.mediators.builtin.LogMediator} - WSO2Status = SUCCESS, APIE2ETime = /app/custManagement/v2/customer/lookup/9999999999, X-External-CorrelationId = 7613691301, IN = 2020-05-11T15:20:15.656+05:30, OUT = 2020-05-11T15:20:16.803+05:30, HTTP_SC = 200, Channel = WEB, Http_Method = GET, RemoteAddress = 17.98.27.231 {org.apache.synapse.mediators.builtin.LogMediator}
格罗克模式:
TID:%{SPACE}[%{INT:tenant_id}]%{SPACE}[]%{SPACE}[%{TIMESTAMP_ISO8601:hit_timestamp}]%{SPACE}%{LOGLEVEL:level}%{SPACE}{%{JAVACLASS:java_class}}%{SPACE}-%{SPACE}WSO2Status%{SPACE}=%{SPACE}%{WORD:Status},%{SPACE}APIE2ETime%{SPACE}=%{SPACE}%{GREEDYDATA:context},%{SPACE}X-External-CorrelationId%{SPACE}=%{SPACE}%{WORD:CorrelationId},%{SPACE}IN%{SPACE}=%{SPACE}%{TIMESTAMP_ISO8601:in_timestamp},%{SPACE}OUT%{SPACE}=%{SPACE}%{TIMESTAMP_ISO8601:out_timestamp},%{SPACE}HTTP_SC%{SPACE}=%{SPACE}%{INT:http_sc},%{SPACE}Channel%{SPACE}=%{SPACE}%{WORD:channel},%{SPACE}Http_Method%{SPACE}=%{SPACE}%{WORD:http_method},%{SPACE}RemoteAddress%{SPACE}=%{SPACE}%{IP:remoteaddress}%{SPACE}{%{JAVACLASS:java_class2}}
替换这个:
=%{SPACE}%{GREEDYDATA:context},%{SPACE}
由
=%{SPACE}%{GREEDYDATA:context}/%{NUMBER},%{SPACE}