我的系统日志的类型-
Apr 05 11:35:54 FNM00181600566-A control-path[20757]: 2019-04-05 11:35:54.168 [] [INFO] [com.command.CommandServiceVerticle|vert.x-eventloop-thread-3] [f0a447b9-cd28-4062-9635-8cebac682567] About to process Command com.contexts.eventprocessing.eventse
Apr 05 11:35:57 FNM00181600566-A xtremapp[99510]: Apr 05 11:35:57.242761 M [log_id:0][22884(23048 nb_truck_0_sym 0x7f9d108d61c0)]sym_query_select_mom_object:3010: JBOD enclosure object type, checking numbering against peer
Apr 05 11:35:55 FNM00181600566-A control-path[20757]: [INFO ] [REST] [external.rest.RequestValidationModule|vert.x-eventloop-thread-0] Validating GET request: /api/rest/level_session_volume_view?select=id,name,resource_type,family_id,source_appliance_id,destination_appliance_id,state,job_id,progress_percentage,automatic,operation_status,created_timestamp,last_sync_timestamp,estimated_completion_timestamp,rescan_hosts,recommendation_id
所有这三行都在同一日志文件中,但彼此之间有很大不同。我们可以使用ELK通过单个grok模式提取日志文件的内容吗?如果我可以使用其他过滤器,请告诉我。
我尝试了grok过滤器模式:
**%{SYSLOGBASE} *%{TIMESTAMP_ISO8601} *(?<extra1>[\s*\[*\w*\]*\s]+) *%{LOGLEVEL} *(?<extra2>[\s*\w*\]*\s]+) *\[%{NOTSPACE:component}\] *%{GREEDYDATA:message}**
但是它仅适用于某些日志行。