Question

我有制表符分隔字符串，我想使用grok插件提取每个字段。制表符分隔的字符串就像

http://www.allaboutpc.co.kr 2016110913 d6123c6caa12f08852c82b876bdd3ceceb166d5e 0 0 1 0 /Event/QuizChoice.asp?IdxEvent=3141

我想将每个字段设为 url ，日期时间，哈希值， count1 ， count2 ， count3 ， count4 ，路径。

我使用％{DATA：hashvalue} 为第3个字段提取 hashvalue ，但logstash没有打印hashvalue

这是我的conf文件

input {
    stdin { }
    file {
        path => "/Users/Projects/webmastermrinput/20161021/17/*"
        codec => plain
    }
}
filter {
    # tab to space 
    mutate {
       gsub => ["message", "\t", " "]
    }
    grok {
        match => {
            'message' => "%{DATA:url} %{NUMBER:datetime2} %{DATA:hashvalue} %    {NUMBER:count1} %{NUMBER:count2} %{NUMBER:count3} %{NUMBER:count4} %      {URIPATHPARAM:path}'
        }
    }
}
output {
    stdout { codec => rubydebug }
}

输入的Logstash输出：“http://www.allaboutpc.co.kr 2016110913 d6123c6caa12f08852c82b876bdd3ceceb166d5e 0 0 1 0 /Event/QuizChoice.asp?IdxEvent=3141”

{
    "@timestamp" => 2016-11-11T02:26:01.828Z,
    "@version" => "1",
    "host" => "MacBook-Air-10.local",
    "datetime" => "2016110913",
    "message" => "http://www.allaboutpc.co.kr 2016110913  d6123c6caa12f08852c82b876bdd3ceceb166d5e    0   0   1   0   /Event/QuizChoice.asp?IdxEvent=3141",
    "url" => "http://www.allaboutpc.co.kr"
}

Answer 1

你的grok工作得很好，你只需删除%和{中% {NUMBER:count1}和% {URIPATHPARAM:path}之间的空格和'message' => "%{DATA:url} %{NUMBER:datetime2} %{DATA:hashvalue} % {NUMBER:count1} %{NUMBER:count2} %{NUMBER:count3} %{NUMBER:count4} % {URIPATHPARAM:path}' ^ ^ | | here and here

var claimIdentity = (Context.User.Identity as Microsoft.IdentityModel.Claims.IClaimsIdentity);
claimIdentity.Claims.Add(new Claim(ClaimTypes.Role, "Manager"));

Logstash grok与特定字段不匹配

1 个答案: