我想为 OASIS 日志创建自定义 GROK。
2019-10-29 00:36:53Z|User -User trying to login from desktop oasis screen|Cart -|Level -INFO|Severity -Information|Class -oaCheckOut.aspx.vb|Function -Button1_Click : oaCheckOut|UserID: 261343 Cart_ID: 8050513 - Start : Validate K12PunchinGuest mandatory fields execution
我开始的格罗克
%{TIMESTAMP_ISO8601:timestamp}|%{GREEDYDATA:user}|%{DATA}%{SPACE}-%{DATA:Level}
到目前为止,我的输出。
{
"timestamp": [
[
"2019-10-29 00:36:53Z"
]
],
"user": [
[
"User -User trying to login from desktop oasis screen|Cart -|Level -INFO|Severity -Information|Class -oaCheckOut.aspx.vb|Function -Button1_Click : oaCheckOut"
]
],
"Level": [
[
""
]
]
}
在这里,我无法分别拆分用户、级别和严重性。
实现我期望的最佳方法是什么?什么是正确的 GROK? 请帮帮我。
请尝试下面的grok,
%{TIMESTAMP_ISO8601:timestamp}|(?:User -%{GREEDYDATA:User})|(?:Cart -%{GREEDYDATA:Cart})|(?:Level -%{GREEDYDATA:Level})|(?:Severity -%{GREEDYDATA:Severity})|(?:Class -%{GREEDYDATA:Class})|(?:Function -%{GREEDYDATA:Function})|(?:UserID: %{BASE10NUM:UserID})s(?:Cart_ID: %{BASE10NUM:Cart_ID})%{GREEDYDATA}