我得到这个以下日志是JSON格式,什么是神交,所以我有创造的关键领域中的最佳方式。感谢您的时间。
日志:
2018-10-17 16:20:04,358 WARNING VID_DROPS {"JITTER": 0.1, "INTVL": 6, "DATE": "Wed Oct 17 15:53:45 2018", "SOURCEIP": "192.168.12.1:22100", "ERRORS": 0.02, "LOSTPKT": 34, "FLOW": 116288, "MCAST": "239.0.1.102:1000", "SWITCH": "switc01", "INTERFACE": "TenGigE0/0/2/0", "CLASS": "Policy_VID"}
这里是我,似乎不工作的过滤器:
grok {
match => {"message" => "%{TIMESTAMP_ISO8601:timestamp} %{WORD:loglevel} %{WORD:VID_DROPS} %{NOTSPACE:json1}" }
remove_field => [ "message" ]
}
json { source => "json1" remove_field => [ "json1" ] }
AS baudsp提到的,你需要为了匹配这个词GREEDYDATA后一切使用VID_DROPS。旁边,有可以匹配的记录等级默认模式,%{LOGLEVEL:loglevel}所以你不需要使用WORD,
%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:loglevel} %{WORD:VID_DROPS} %{GREEDYDATA:json1}
将输出,
{
"timestamp": [
[
"2018-10-17 16:20:04,358"
]
],
"YEAR": [
[
"2018"
]
],
"MONTHNUM": [
[
"10"
]
],
"MONTHDAY": [
[
"17"
]
],
"HOUR": [
[
"16",
null
]
],
"MINUTE": [
[
"20",
null
]
],
"SECOND": [
[
"04,358"
]
],
"ISO8601_TIMEZONE": [
[
null
]
],
"loglevel": [
[
"WARNING"
]
],
"VID_DROPS": [
[
"VID_DROPS"
]
],
"json1": [
[
"{"JITTER": 0.1, "INTVL": 6, "DATE": "Wed Oct 17 15:53:45 2018", "SOURCEIP": "192.168.12.1:22100", "ERRORS": 0.02, "LOSTPKT": 34, "FLOW": 116288, "MCAST": "239.0.1.102:1000", "SWITCH": "switc01", "INTERFACE": "TenGigE0/0/2/0", "CLASS": "Policy_VID"}"
]
]
}