小贝子编程

基于字符串筛选消息



我在同一个日志文件
中有以下日志2019-11-23T14:38:43.495 backendorg [http-nio-8080-exec-45] INFO http-nio-8080-exec-45 SessionController http://localhost:8080/ABC/session/login abc.nayak@zinier.com backendorg

2019-11-23T14:38:44.235 backendorg [http-nio-8080-exec-45] INFO http-nio-8080-exec-45 SessionController userSession: backendorg 16CFAFCCFB14D9A3 16E978545E17BFEC 16E978545E1452FF

使用以下过滤器根据字符串">userSession"解析上述消息。

input {
file {
tags => ["stacktrace"]
type => "error_logs"
path => ["/Users/znrind-a0053/Downloads/logs/zapp-audit.log"]
start_position => "beginning"
sincedb_path => "/tmp/sincedb_file"
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601} "
negate => true
what => previous
}
}
}
filter {
if "userSession" in [message]{
grok {
match => [ "message",
"%{TIMESTAMP_ISO8601:timestamp_match} %{USERNAME:orgId} ([%{DATA:thread}])?( )?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost} %{JAVAFILE:javaClass} %{URI:url}%{SPACE}(?<email>[w.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:[.](?:[0-9A-Za-z][0-9A-Za-z‌​-]{0,62}))*)%{SPACE}%{USERNAME:orgnisation}"]
}
} else {
grok {
match => [ "message",
"%{TIMESTAMP_ISO8601:timestamp_match} %{USERNAME:orgId} ([%{DATA:thread}])?( )?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost} %{JAVACLASS:javaClass} %{USERNAME:logmessage}:?%{SPACE}%{USERNAME:orgnisation}%{SPACE}%{USERNAME:loginUserId}%{SPACE}%{USERNAME:sessionId}%{SPACE}%{USERNAME:txnId}"]
}
}
}
output {
elasticsearch {
hosts => "localhost"
index => "logs"
}
stdout{codec => json}
}

但是收到 GROK 解析器错误。任何建议都非常感谢。

filter中尝试这个:

filter {
if "userSession" in [message]{
grok {
match => [ "message",
"%{TIMESTAMP_ISO8601:timestamp_match} %{USERNAME:orgId} ([%{DATA:thread}])?( )?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost} %{JAVAFILE:javaClass} %{USERNAME:logmessage}:?%{SPACE}%{USERNAME:orgnisation}%{SPACE}%{USERNAME:loginUserId}%{SPACE}%{USERNAME:sessionId}%{SPACE}%{USERNAME:txnId}"]
}
} else {
grok {
match => [ "message",
"%{TIMESTAMP_ISO8601:timestamp_match} %{USERNAME:orgId} ([%{DATA:thread}])?( )?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost} %{JAVAFILE:javaClass} %{URI:url}%{SPACE}(?<email>[w.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:[.](?:[0-9A-Za-z][0-9A-Za-z‌​-]{0,62}))*)%{SPACE}%{USERNAME:orgnisation}"]
}
}
}

对于您必须使用的电子邮件(来源(

(?<email>[a-zA-Z0-9_.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:.(?:[0-9A-Za-z][0-‌​9A-Za-z-]{0,62}))*)


(?<email>[w.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:[.](?:[0-9A-Za-z][0-9A-Za-z‌​-]{0,62}))*)

因此,您的匹配将成为

%{TIMESTAMP_ISO8601:timestamp_match} %{USERNAME:orgId} ([%{DATA:thread}])?( )?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost} %{JAVAFILE:javaClass} %{URI:url}%{SPACE}(?<email>[w.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:[.](?:[0-9A-Za-z][0-9A-Za-z‌​-]{0,62}))*)%{SPACE}%{USERNAME:orgnisation}

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium