嘿,我有一个包含许多行的文本文件,每行包含3个以空格分隔的值:
username email hash
username email hash
username email hash
username email hash
username email hash
我尝试使用此配置使用logstash索引列表:
input {
file {
path => "/path/to/your/file.log"
start_position => beginning
sincedb_path => "/dev/null"
}
}
filter {
grok {
match => {"message" => "%{WORD:username} %{WORD:email} %{WORD:hash}" }
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
}
}
我的问题是logstash索引就像那样:
{
"_index": "logstash-2017.06.01",
"_type": "logs",
"_id": "AVxinqK5XRvft8kN7Q6M",
"_version": 1,
"_score": null,
"_source": {
"path": "C:/Users/user/Desktop/user/log.txt",
"@timestamp": "2017-06-01T07:46:22.488Z",
"@version": "1",
"host": "DESKTOP-FNGSJ6C",
"message": "username email password",
"tags": [
"_grokparsefailure"
]
},
"fields": {
"@timestamp": [
1496303182488
]
},
"sort": [
1496303182488
]
}
我希望它像那样:
{
"_index": "logstash-2017.06.01",
"_type": "db",
"_id": "AVxinqK5XRvft8kN7Q6M",
"_version": 1,
"_score": null,
"_source": {
"username": "Marlb0ro",
"email": "Marlb0ro@site.com",
"hash": "123456",
}
我该怎么做才能改变它?任何帮助都将被批准
答案 0 :(得分:1)
当我尝试在http://grokconstructor.appspot.com中测试你的grok时出现解析错误。由于空格是分隔符,我尝试使用NOTSPACE作为用户名和电子邮件:
%{NOTSPACE:username} %{NOTSPACE:email} %{WORD:hash}
答案 1 :(得分:0)
我很确定你的grok解析器不起作用。因为“Word”模式与Hash或EMail Adress不匹配。
您可以在github页面(here)
上查看预定义的模式有一个“EMAILADDRESS”模式,对于哈希,我会使用“用户名”。