请帮忙。
日志中有这样一行
Host = hostname SomeApp = AppName SomeMessage = Data[result = ABCD-123456@sip.site.com,1,2,,0,,,sip:user@user.sip.site.com;transport=tcp;host-sip=1;media-service=media,00ABCDEF01234567890,media,0]
按键分割:我使用的值
kv {
trim_key => "\s"
value_split => "="
}
我得到了输出
"Host": "hostname",
"SomeApp": "AppName",
"SomeMessage": "Data[result",
"ABCD-123456@sip.site.com,1,2,,0,,,sip:user@user.sip.site.com;transport": "tcp;host-sip=1;media-service=media,00ABCDEF01234567890,media,0]",
如何编写规则来获取?
"Host": "hostname",
"SomeApp": "AppName",
"SomeMessage": "Data[result = ABCD-123456@sip.site.com,1,2,,0,,,sip:user@user.sip.site.com;transport": "tcp;host-sip=1;media-service=media,00ABCDEF01234567890,media,0]",
答案 0 :(得分:0)
哦,我的。这让我做恶梦。
IF 您可以相信SomeMessage字段始终是该行的最后一个字段,您可以使用Grok伪造它。
# This populates the SomeMessage field, and creates a new field
# called `clipped_message` for later use with kv {}
grok {
match => {
message => "^{DATA:clipped_message} SomeMessage = %{GREEDYDATA:SomeMessage}$"
}
}
kv {
source => "clipped_message"
trim_key => "\s"
value_split => "="
}
这与格式有关。第一个grok过滤器填充棘手的字段,并通过将字符串放在新字段之前将其完全剪切掉。 kv {}稍后会解析剪切的字符串,该字符串应该填充其他字段。