我有制表符分隔字符串,我想使用grok插件提取每个字段。 制表符分隔的字符串就像
http://www.allaboutpc.co.kr 2016110913 d6123c6caa12f08852c82b876bdd3ceceb166d5e 0 0 1 0 /Event/QuizChoice.asp?IdxEvent=3141
我想将每个字段设为 url ,日期时间,哈希值, count1 , count2 , count3 , count4 ,路径。
我使用%{DATA:hashvalue} 为第3个字段提取 hashvalue ,但logstash没有打印hashvalue
这是我的conf文件
input {
stdin { }
file {
path => "/Users/Projects/webmastermrinput/20161021/17/*"
codec => plain
}
}
filter {
# tab to space
mutate {
gsub => ["message", "\t", " "]
}
grok {
match => {
'message' => "%{DATA:url} %{NUMBER:datetime2} %{DATA:hashvalue} % {NUMBER:count1} %{NUMBER:count2} %{NUMBER:count3} %{NUMBER:count4} % {URIPATHPARAM:path}'
}
}
}
output {
stdout { codec => rubydebug }
}
输入的Logstash输出:“http://www.allaboutpc.co.kr 2016110913 d6123c6caa12f08852c82b876bdd3ceceb166d5e 0 0 1 0 /Event/QuizChoice.asp?IdxEvent=3141”
{
"@timestamp" => 2016-11-11T02:26:01.828Z,
"@version" => "1",
"host" => "MacBook-Air-10.local",
"datetime" => "2016110913",
"message" => "http://www.allaboutpc.co.kr 2016110913 d6123c6caa12f08852c82b876bdd3ceceb166d5e 0 0 1 0 /Event/QuizChoice.asp?IdxEvent=3141",
"url" => "http://www.allaboutpc.co.kr"
}
答案 0 :(得分:0)
你的grok工作得很好,你只需删除%
和{
中% {NUMBER:count1}
和% {URIPATHPARAM:path}
之间的空格和'message' => "%{DATA:url} %{NUMBER:datetime2} %{DATA:hashvalue} % {NUMBER:count1} %{NUMBER:count2} %{NUMBER:count3} %{NUMBER:count4} % {URIPATHPARAM:path}'
^ ^
| |
here and here
var claimIdentity = (Context.User.Identity as Microsoft.IdentityModel.Claims.IClaimsIdentity);
claimIdentity.Claims.Add(new Claim(ClaimTypes.Role, "Manager"));