我目前正在尝试使用grok解析日志消息。以下是示例消息
[de4131185bb28bcd5f3019b168106682] [172.69.62.54] [/v2/user.json] Returned lineup_key for user OAuth [ OAuth realm="", oauth_consumer_key="qQRye5YLMtdw2TNmoiayMptwdbW29y3pTlaIj0lx", oauth_token="ArFbNvrxntvYIbA2QArJnCmbGCBQe3P5I1YHX8TX", oauth_signature_method="HMAC-SHA1", oauth_signature="o1DhpgEX7QyCDjDvPceHzJrm7h4%3D", oauth_timestamp="1529081887", oauth_nonce="0C6F8BAC-B3E3-44F3-A3BD-F04CF7815580", oauth_version="1.0" ] : [ MjE2LDI1OA== ]
正在使用的grok表达式
UMSAPPLOGDATA ^\[%{WORD:id}\]\s\[%{IP:ip}\]\s\[%{URIPATHPARAM:uri}\]%{GREEDYDATA:logMessage}
现在我想将下面的整个Oauth片段提取到名为oauth_parameters的单独变量中。
[ OAuth realm="", oauth_consumer_key="qQRye5YLMtdw2TNmoiayMptwdbW29y3pTlaIj0lx", oauth_token="ArFbNvrxntvYIbA2QArJnCmbGCBQe3P5I1YHX8TX", oauth_signature_method="HMAC-SHA1", oauth_signature="o1DhpgEX7QyCDjDvPceHzJrm7h4%3D", oauth_timestamp="1529081887", oauth_nonce="0C6F8BAC-B3E3-44F3-A3BD-F04CF7815580", oauth_version="1.0" ]
如何扩展我现有的grok表达式。
感谢你提供同样的帮助。
答案 0 :(得分:1)
您可以使用以下格式编写custom grok pattern
(?<field_name>the pattern here)
那样你的模式就是,
\buser OAuth (?<outh_parameters>(.*)oauth_version="\d{1,2}.\d{1,2}" ])
将输出,
{
"outh_parameters": [
[
"[ OAuth realm="", oauth_consumer_key="qQRye5YLMtdw2TNmoiayMptwdbW29y3pTlaIj0lx", oauth_token="ArFbNvrxntvYIbA2QArJnCmbGCBQe3P5I1YHX8TX", oauth_signature_method="HMAC-SHA1", oauth_signature="o1DhpgEX7QyCDjDvPceHzJrm7h4%3D", oauth_timestamp="1529081887", oauth_nonce="0C6F8BAC-B3E3-44F3-A3BD-F04CF7815580", oauth_version="1.0" ]"
]
]
}