我有相同的日志模式,我正在加载到logstash。 我正在编写多个grokpatterns来解决手头的问题。目前这有效,但寻找一种有效的方法,通过使用GROK模式或其他方式将日志分成键值对。 这里有任何建议或帮助。
filter {
grok {
match => {"message"=> ["%{TIMESTAMP_ISO8601:log_timestamp} %{GREEDYDATA:thread}, hostname=%{WORD:hostname}, level=%{WORD:level} , logger=%{WORD:logger}, et=%{NOTSPACE:et},%{GREEDYDATA:loginfo}, cid=%{WORD:cid}, workitem=%{NOTSPACE:workitem}, dev_id=%{NOTSPACE:dev_id}, model=%{GREEDYDATA:model}, customer_id=%{NOTSPACE:customer_id}, customer_name=%{GREEDYDATA:customer_name}, conn_id=%{NOTSPACE:conn_id}, ipaddr=%{IP:ipaddr}, hostname=%{GREEDYDATA:hostname}, serial_num=%{NOTSPACE:serialnumber}, model_support=%{NOTSPACE:model_support}, model_num=%{NOTSPACE:model_num}, mSKU=%{WORD:mSKU}, ocv_status=%{WORD:ocv_status}, mcid=%{GREEDYDATA:mcid}",
"%{TIMESTAMP_ISO8601:log_timestamp} %{GREEDYDATA:thread}, hostname=%{WORD:hostname}, level=%{WORD:level} , logger=%{WORD:logger}, et=%{NOTSPACE:et},%{GREEDYDATA:log}",
"%{TIMESTAMP_ISO8601:log_timestamp} %{GREEDYDATA:thread}, hostname=%{WORD:hostname}, level=%{WORD:level} , logger=%{WORD:logger},%{GREEDYDATA:log}"]}
}
}