我有以下来自ansible_results的消息正在尝试解析,基本上我需要从以下消息中切出"msg":之后的字段。
2019-05-07 07:56:06,374 p=7743 u=root | fatal: [xxxxx]: FAILED! => {"changed": false, "msg": "The system may not be mirrored according to the xxxx default mirror policy."}
2019-05-07 07:56:06,402 python-logstash-logger TASK FAILED | fail | HOST | xxxxxxx | RESULT | {"changed": false, "msg": "The system may not be mirrored according to the xxx default mirror policy."}
我正在尝试遵循,但没有实现这一想法:
%{TIMESTAMP_ISO8601:time} p=%{INT:process} u=%{USER:user}|%{SPACE}falal:%{SPACE}%{WORD:fatal}%{SPACE}%{UNIXPATH: FAILED*?}
将msg和last message body分为两个不同的字段。
msg The system may not be mirrored according to the xxxx default mirror policy.
任何专业知识的帮助将不胜感激。
答案 0 :(得分:1)
由于您有两种截然不同的日志类型,因此我使用了两种不同的grok模式:
grok{
match => [
"%{TIMESTAMP_ISO8601:time}.*p=%{INT:process} u=%{USER:user}.*%{WORD:result}! =>.*"msg": "%{GREEDYDATA:msg}"\}$",
"%{TIMESTAMP_ISO8601:time}.*\|.*\|%{SPACE}%{GREEDYDATA:Host}%{SPACE}\|.*\|.*\|.*"msg": "%{GREEDYDATA:msg}"\}$
]
}
第一个带有第一行日志的模式:
process 7743
result FAILED
msg The·system·may·not·be·mirrored··according·to·the·xxxx·default·mirror·policy.
time 2019-05-07·07:56:06,374
user root
带有第二条日志行的第二种模式:
time 2019-05-07·07:56:06,402
Host HOST·
msg The·system·may·not·be·mirrored··according·to·the·xxx·default·mirror·policy.