我正在编写一个grok过滤器来解析我的非结构化应用程序日志。我需要的是寻找某些行并以特定格式生成输出。例如下面是我的日志
2018-05-07 01:19:40 M :Memory (xivr = 513.2 Mb, system = 3502.0 Mb, physical = 5386.7 Mb), CpuLoad (sys = 0%, xivr = 0%)
2018-05-07 01:29:40 M :Memory (xivr = 513.2 Mb, system = 3495.3 Mb, physical = 5370.1 Mb), CpuLoad (sys = 0%, xivr = 0%)
2018-05-07 05:51:19 1 :Hangup call
***2018-05-07 05:51:22 24 :Answer call from 71840746 for 91783028 [C:\xivr\es\IVR-Dialin.dtx***]
2018-05-07 05:51:30 24 :Hangup call
***2018-05-07 05:51:34 24 :Answer call from 71840746 for 91783028 [C:\xivr\es\IVR-Dialin.dtx]***
2018-05-07 00:31:21 45 :Device Dialogic Digital dxxxB12C1 [gc60.dev - Dialogic (SDK 6.0) ver 3.0.702:11646] (ThreadID: 1FF0, DriverChannel: 44)
2018-05-07 00:31:22 40 :Device Dialogic Digital dxxxB10C4 [gc60.dev - Dialogic (SDK 6.0) ver 3.0.702:11646] (ThreadID: 1B2C, DriverChannel: 39)
我需要在我的Kibana中只输入以下格式用***突出显示的行:其他行应该被忽略
Logtimestamp:2018-05-07 05:51:22
Channel_id:24
Source_number: 71840746个
Destination_Number:91783028
如何实现这一目标?
答案 0 :(得分:1)
您可以明确地编写有关该特定模式的任何独特内容,并使用pre-defined grok patterns进行其余操作。
在你的情况下,grok模式是,
%{TIMESTAMP_ISO8601:Logtimestamp} %{NUMBER:Channel_id} :Answer call from %{NUMBER:Source_number} for %{NUMBER:Destination_Number} %{GREEDYDATA:etc}
它只会匹配以下模式,
2018-05-07 05:51:34 24 :Answer call from 71840746 for 91783028 [C:\xivr\es\IVR-Dialin.dtx]
syntax for a grok pattern为%{SYNTAX:SEMANTIC}。
在您的过滤器中,
%{TIMESTAMP_ISO8601:Logtimestamp}匹配2018-05-07 05:51:34 %{NUMBER:Channel_id}匹配24 :Answer call from字面上匹配字符串%{NUMBER:Source_number}匹配71840746 %{NUMBER:Destination_Number}匹配91783028 %{GREEDYDATA:etc}匹配其余数据,即[C:\xivr\es\IVR-Dialin.dtx] 。
<强>输出:
{
"Logtimestamp": [
[
"2018-05-07 05:51:22"
]
],
"Channel_id": [
[
"24"
]
],
"Source_number": [
[
"71840746"
]
],
"Destination_Number": [
[
"91783028"
]
],
"etc": [
[
"[C:\\xivr\\es\\IVR-Dialin.dtx***]"
]
]
}
你可以test it here。
希望它有所帮助。