如何在logstash中编写grok过滤器以接受变量参数

时间:2015-07-02 18:05:45

标签: elasticsearch logstash logstash-grok

如果消息包含可变参数的事务,如何编写grok过滤规则。

例如:

22-Jun-2015 04:45:56 Transaction for Bill 123 item1=100 item2=200 item3=300
22-Jun-2015 05:45:23 Transaction for Bill 124 item1=200
22-Jun-2015 06:23:36 Transaction for Bill 125 item4=400 item2=200 item1=100 item5=500

我们可以在上述情况下匹配日期,时间,账单#但是如何处理变量参数项目。

1 个答案:

答案 0 :(得分:0)

最后我能够使用logstash

的kv {}选项来做到这一点

例如:

 item1=100&item2=200&item3=300
 item1=100&item2=200&item3=300&item4=400

我创建了两条消息然后我得到了以下输出; 

{
   "message" => "item1=100&item2=200&item3=300",
  "@version" => "1",
"@timestamp" => "2015-07-04T19:20:15.831Z",
      "host" => "viswesn-PC",
     "item1" => "100",
     "item2" => "200",
     "item3" => "300",
      "tags" => [
          [0] "true"
      ]
}
  {
   "message" => "item1=100&item2=200&item3=300&item4=400",
  "@version" => "1",
"@timestamp" => "2015-07-04T19:20:25.866Z",
      "host" => "viswesn-PC",
     "item1" => "100",
     "item2" => "200",
     "item3" => "300",
     "item4" => "400",
      "tags" => [
         [0] "true"
   ]
}
相关问题
最新问题