我是logstash的新手我试图找到从这个日志消息中提取数据的模式,我在filebeat.yml中启用模式来从日期到下一个日期的读取。
2018-05-21 14:49:12
Mode:Managed Frequency:2.457 GHz Access Point: 88:D7:F6:68:C1:78
Bit Rate=144.4 Mb/s Tx-Power=22 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
link Quality=65/70 Signal level=-45 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:217 Missed beacon:0
grok{
timeout_millis => 60000
match=>["message", "%{TIMESTAMP_ISO8601:mytimestamp}%{SPACE:ip}%{GREEDYDATA:val}%{SPACE:ip}%{GREEDYDATA:val}%{SPACE:ip}%{GREEDYDATA:val}%{SPACE:ip}%{GREEDYDATA:val}%{SPACE:ip}%{GREEDYDATA:val}%{SPACE:ip}%{GREEDYDATA:val}(?<powerlevel>(?<=Signal level\=).*?(\s))"]
}
这给了_groktimeout
filter {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:mytimestamp}",
"message", "(?<powerlevel>(?<=Signal level\=).*?(\s))"]
}
这只给出了时间戳 请帮助我从这个日志中获取时间戳和信号级别
答案 0 :(得分:1)
您还需要在日期和信号级别之间匹配数据。这可以使用GREEDYDATA模式完成。此外,您还需要匹配所有空格和\n字符。
看看以下内容,
%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}(?m)%{GREEDYDATA:irrelevant_data}Signal level=%{NUMBER:Signal level}
它将匹配日期和Signal level,
<强>输出
{
"YEAR": [
[
"2018"
]
],
"MONTHNUM": [
[
"05"
]
],
"MONTHDAY": [
[
"21"
]
],
"TIME": [
[
"14:49:12"
]
],
"HOUR": [
[
"14"
]
],
"MINUTE": [
[
"49"
]
],
"SECOND": [
[
"12"
]
],
"irrelevant_data": [
[
"\nMode:Managed Frequency:2.457 GHz Access Point: 88:D7:F6:68:C1:78 \nBit Rate=144.4 Mb/s Tx-Power=22 dBm \nRetry short limit:7 RTS thr:off Fragment thr:off\nPower Management:on\nlink Quality=65/70 "
]
],
"Signal": [
[
"-45"
]
],
"BASE10NUM": [
[
"-45"
]
]
}
您的grok过滤器将变为,
filter {
grok {
match => ["message", "%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}(?m)%{GREEDYDATA:irrelevant_data}Signal level=%{NUMBER:Signal level}"]
}
}