我从日志中获取此示例:
Tue Mar 27 06:51:48 2018 PING www.google.com (172.217.169.100) 56(84) bytes of data.
64 bytes from sof02s31-in-f4.1e100.net (172.217.169.100): icmp_seq=1 ttl=128 time=17.4 ms
--- www.google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 17.482/17.482/17.482/0.000 ms
我想为logstash创建一个grok模式并提取诸如TIMESTAMP,IPV4,TTL以及RTT值min/avg/max之类的内容最后2行。
此日志每秒钟从ping脚本到相同的IP。我想我需要一个多线模式来同时获取这6行中的每一行的值?
任何帮助都会很棒!!!
由于
答案 0 :(得分:1)
如果您使用Oniguruma syntax来逃避newline,即\n,则不需要多行。
例如,(?<newline>(.|\r|\n)*)可以匹配日志中两段之间的所有不必要数据,即
“时间= 17.4毫秒\ n \ n --- www.google.com ping statistics --- \ n1数据包 发送,1接收,0%丢包,时间0ms \ n“
你的最终格言模式将如下所示,
%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR} %{WORD:PING} %{HOSTNAME:host} \(%{IP:ip_address}\) %{DATA} ttl=%{INT:TTL}(?<newline>(.|\r|\n)*)rtt min/avg/max/mdev = %{NUMBER:min}/%{NUMBER:avg}/%{NUMBER:max}/%{NUMBER:mdev} ms
它会产生以下输出,
{
"DAY": [
[
"Tue"
]
],
"MONTH": [
[
"Mar"
]
],
"MONTHDAY": [
[
"27"
]
],
"TIME": [
[
"06:51:48"
]
],
"HOUR": [
[
"06"
]
],
"MINUTE": [
[
"51"
]
],
"SECOND": [
[
"48"
]
],
"YEAR": [
[
"2018"
]
],
"PING": [
[
"PING"
]
],
"host": [
[
"www.google.com"
]
],
"ip_address": [
[
"172.217.169.100"
]
],
"IPV6": [
[
null
]
],
"IPV4": [
[
"172.217.169.100"
]
],
"DATA": [
[
"56(84) bytes of data. 64 bytes from sof02s31-in-f4.1e100.net (172.217.169.100): icmp_seq=1"
]
],
"TTL": [
[
"128"
]
],
"newline": [
[
" time=17.4 ms\n\n--- www.google.com ping statistics ---\n1 packets transmitted, 1 received, 0% packet loss, time 0ms\n"
]
],
"min": [
[
"17.482"
]
],
"BASE10NUM": [
[
"17.482",
"17.482",
"17.482",
"0.000"
]
],
"avg": [
[
"17.482"
]
],
"max": [
[
"17.482"
]
],
"mdev": [
[
"0.000"
]
]
}