我想在多个字段(而不是一个字段)中拆分带有完整日志行的字段。现在,日志值用管道分隔,并想知道是否有办法执行此操作。提前谢谢。
日志行示例:
INFO |2017-12-06T15:00:00,344|532fdcaa-ca27-4b38-8d6b-408bd72e94f2|qk29fnkgsye45d33hxsuctdu:AMOMA|ApiAvailabilityRQ|0||20171208|20171111|1~2~0|HTL:true,COMPANYNAME>121704;PAY:AT_WEB|ADC68E2C0F1D4FF08F6D6DBCCCB227011600|1|4
我的格鲁克:
grok {
match => [ "message", "^(?m)%{WORD:level}\s?\|%{TIMESTAMP_ISO8601:timestamp}\|(?<echoToken>([^|]*))\|(?<apiKey>(\w*))(\:(?<ttoo>([\w ]*)))?\|%{WORD:operation}\|%{NUMBER:processTime}\|((?<exceptionType>[^|\:]+)(\:(?<exceptionDetail>[^|#]+)(###(?<exceptionMessage>[^|]+))?)?)?\|(((?<checkin>(\d+))\|(?<checkout>(\d+))\|(?<occupancy>([\d~#]+))\|((?:HTL:)(?<hotels_included(true|false)),(?:HOTELBEDS|GIATA)\->(?<hotels>([\d|,]+))|(?:DST:(?<destination>(\w+))(\w*))(;ZON:(?<zone>(\d+)))?|(GEO:(?<geo>([^;]*))))(;(?<filters>[^|]+))?\|(?<cacheKey>(\w+))?\|(?<num_hotels>(\d+))\|(?<num_ratekeys>(\d+))(\|(?<slow>(SLOW)))?)|((?<bookingDetail>(\d+-\d+))(\|(?<checkin>(\d+))\|(?<checkout>(\d+))\|(?<hotel>(\d+))\|(?<destination>(\w+))\|(?<zone>(\d+))\|(?<amount>([\d\.]+))\|%{GREEDYDATA:rateKey})?)|%{GREEDYDATA:logMessage})" ]
}
答案 0 :(得分:3)
此模式设法获取由管道分隔的值。
^(?m)%{WORD:level}\s?\|%{TIMESTAMP_ISO8601:timestamp}\|(?<echoToken>([^|]*))\|(?<apiKey>(\w*))(\:(?<ttoo>([\w ]*)))?\|%{WORD:operation}\|%{NUMBER:processTime}\|((?<exceptionType>[^|\:]+)(\:(?<exceptionDetail>[^|#]+)(###(?<exceptionMessage>[^|]+))?)?)?\|%{NUMBER:A}\|%{NUMBER:B}\|%{DATA:C}\|%{DATA:D}\|%{DATA:E}\|%{NUMBER:F}\|%{NUMBER:G}
开头是基于问题中提供的那个,结尾是为了抓住管道之间的内容。