logstash grok parse url
我一直在网上搜索,但无法完全弄清楚。
1 2 3 | grok { match => ["message","%{TIMESTAMP_ISO8601:log_timestamp} %{URIPATH:url} } |
我需要从url中获取内容,并将其放入弹性搜索中。
日志具有这样的网址
URL 1 =
/ NEED_A / Constant_A / Constant_B / Constant_C / Need_B / Constant_D / Need_C / Need_D
URL 2 =
/ NEED_A / Constant_A / Constant_B / Constant_C / Need_B / Constant_D
URL 3 =
/ Wierd_A
Need_A,NEED_B,NEED_C,Need_D,Wierd_A应该放在相应的字段中。
我一直试图找到一个if else-if循环,但还没有真正得到任何东西。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | grok { match => ["message","%{TIMESTAMP_ISO8601:log_timestamp} {URIPATH:url} %] } if[url] =="/*/Constant_A/Constant_B/Constant_C/*/Constant_D/*/*" { \\/%{WORD:NEED_A}\\/.*\\/.*\\/.*\\/%{WORD:NEED_B}\\/.*\\/%{WORD:NEED_C} } else-if[url] =="/*/Constant_A/Constant_B/Constant_C/*/Constant_D" { \\/%{WORD:NEED_A}\\/.*\\/.*\\/.*\\/%{WORD:NEED_B}\\/.*\\/ } else-if //something similar for url 3 } //move on if nothing matches |
有什么想法吗?
logstash不是循环类型系统。
如果要针对您的输入运行多种模式,只需列出它们:
1 2 3 4 5 6 7 8 | grok { match => { "message" => [ "%{PATTERN1}", "%{PATTERN2}" ] ] } |