使用grok提取日志数据

时间:2018-06-14 07:57:57

标签: logstash logstash-grok

我正在尝试使用grok.my日志行从日志文件中提取数据。

[Server 192.178.35.40] testweb.de 63.239.73.83 - - [19/Nov/2017:23:27:26 +0100] \"GET /service/want/teaser2/Buk/ HTTP/1.1\" 200 319 \"-\" \"https://testweb.de/Suche/Buk/Bonn\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\" \"65.259.77.67\" 0

我期待这样的事情

server : 192.178.35.40
website : testweb.de
clientip : 63.239.73.83
timestamp:19/Nov/2017:23:27:26 +0100
method:GET
RESOURCE:/service/want/teaser2/Buk/ HTTP/1.1
RESPONCE:200
TIMETAKEN:319
USERAGENT:Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile 
Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
COOKIE:0

尝试https://grokdebug.herokuapp.com/ 通过给出模式,

 %{ip:SERVER}

并收到了结果但无法解析剩余数据

1 个答案:

答案 0 :(得分:1)

您是如何期望只使用一个模式来提取自己领域中的所有内容?

您需要分别匹配每个字段才能获得所需的输出。你能试试吗?

%{IPV4:server}\] %{HOSTNAME:website} %{IPV4:client} - - \[%{HTTPDATE:timestamp}\] \\"%{WORD:method} (?<resource>%{NOTSPACE} HTTP/%{NUMBER})\\" %{NUMBER:response} %{NUMBER:TimeTaken} \\"-\\" \\"%{URI}\\" \\"%{GREEDYDATA:useragent}\).*%{NUMBER:cookie}

这将输出,

{
  "server": [
    [
      "192.178.35.40"
    ]
  ],
  "website": [
    [
      "testweb.de"
    ]
  ],
  "client": [
    [
      "63.239.73.83"
    ]
  ],
  "timestamp": [
    [
      "19/Nov/2017:23:27:26 +0100"
    ]
  ],
  "MONTHDAY": [
    [
      "19"
    ]
  ],
  "MONTH": [
    [
      "Nov"
    ]
  ],
  "YEAR": [
    [
      "2017"
    ]
  ],
  "TIME": [
    [
      "23:27:26"
    ]
  ],
  "HOUR": [
    [
      "23"
    ]
  ],
  "MINUTE": [
    [
      "27"
    ]
  ],
  "SECOND": [
    [
      "26"
    ]
  ],
  "INT": [
    [
      "+0100"
    ]
  ],
  "method": [
    [
      "GET"
    ]
  ],
  "resource": [
    [
      "/service/want/teaser2/Buk/ HTTP/1.1"
    ]
  ],
  "NOTSPACE": [
    [
      "/service/want/teaser2/Buk/"
    ]
  ],
  "NUMBER": [
    [
      "1.1"
    ]
  ],
  "BASE10NUM": [
    [
      "1.1",
      "200",
      "319",
      "0"
    ]
  ],
  "response": [
    [
      "200"
    ]
  ],
  "TimeTaken": [
    [
      "319"
    ]
  ],
  "URI": [
    [
      "https://testweb.de/Suche/Buk/Bonn"
    ]
  ],
  "URIPROTO": [
    [
      "https"
    ]
  ],
  "USER": [
    [
      null
    ]
  ],
  "USERNAME": [
    [
      null
    ]
  ],
  "URIHOST": [
    [
      "testweb.de"
    ]
  ],
  "IPORHOST": [
    [
      "testweb.de"
    ]
  ],
  "HOSTNAME": [
    [
      "testweb.de"
    ]
  ],
  "IP": [
    [
      null
    ]
  ],
  "IPV6": [
    [
      null
    ]
  ],
  "IPV4": [
    [
      null
    ]
  ],
  "port": [
    [
      null
    ]
  ],
  "URIPATHPARAM": [
    [
      "/Suche/Buk/Bonn"
    ]
  ],
  "URIPATH": [
    [
      "/Suche/Buk/Bonn"
    ]
  ],
  "URIPARAM": [
    [
      null
    ]
  ],
  "useragent": [
    [
      "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html"
    ]
  ],
  "cookie": [
    [
      "0"
    ]
  ]
}
相关问题
最新问题