我一直在网上搜索,但无法弄清楚这一点。
grok {
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{URIPATH:url}
}
我需要从网址中获取内容并将其放入弹性搜索中。
日志有这样的网址
网址1 = / NEED_A / Constant_A / Constant_B / Constant_C / Need_B / Constant_D / Need_C / Need_D
网址2 = / NEED_A / Constant_A / Constant_B / Constant_C / Need_B / Constant_D
网址3 = / Wierd_A
Need_A,NEED_B,NEED_C,Need_D,Wierd_A应该进入相应的领域。
我一直试图找到一个if else-if循环,但还没有真正得到任何东西。
grok {
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} {URIPATH:url} %]
}
if[url] == "/*/Constant_A/Constant_B/Constant_C/*/Constant_D/*/*" {
\/%{WORD:NEED_A}\/.*\/.*\/.*\/%{WORD:NEED_B}\/.*\/%{WORD:NEED_C}
}
else-if[url] == "/*/Constant_A/Constant_B/Constant_C/*/Constant_D" {
\/%{WORD:NEED_A}\/.*\/.*\/.*\/%{WORD:NEED_B}\/.*\/
}
else-if
//something similar for url 3
}
//move on if nothing matches
有什么想法吗?
答案 0 :(得分:1)
logstash不是一个循环类型系统。
如果您想针对输入运行多种模式,只需Passing Reference Type Variables:
grok {
match => {
"message" => [
"%{PATTERN1}",
"%{PATTERN2}"
]
]
}