[使用Grok Debuger,我正在尝试解析一些自定义数据:
1 1“设备1” 1“输入1” 0“开”“关”“ 2020-01-01T00:00:00.1124303 + 00:00”
到目前为止,我有:
%{INT:id}%{INT:device}%{QUOTEDSTRING:device_name}%{INT:input}%{QUOTEDSTRING:input_name}%{INT:state}%{QUOTEDSTRING:on_phrase}%{QUOTEDSTRING:off_phrase} \“%{TIMESTAMP_ISO8601:when} \”
但是,我得到类似字符串%{QUOTEDSTRING)的双引号,以及带有时间和日期%{TIMESTAMP_ISO8601:when}的两个小时和分钟的信息>
{ "id": [ [ "1" ] ], "device": [ [ "1" ] ], "device_name": [ [ ""Device 1"" ] ], "input": [ [ "1" ] ], "input_name": [ [ ""Input 1"" ] ], "state": [ [ "0" ] ], "on_phrase": [ [ ""On"" ] ], "off_phrase": [ [ ""Off"" ] ], "when": [ [ "2020-01-01T00:00:00.1124303+00:00" ] ], "YEAR": [ [ "2020" ] ], "MONTHNUM": [ [ "01" ] ], "MONTHDAY": [ [ "01" ] ], "HOUR": [ [ "00", "00" ] ], "MINUTE": [ [ "00", "00" ] ], "SECOND": [ [ "00.1124303" ] ], "ISO8601_TIMEZONE": [ [ "+00:00" ] ] }[另外,关于
logstash.conf,我有些困惑,因为我不确定index中的output应该是什么。以下代码来自github的先前示例:
input { beats { port => 5044 } } filter { grok { match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" } } } output { elasticsearch { hosts => "elasticsearch:9200" manage_template => false index => "sample-%{+YYYY.MM.dd}" } }我猜我的看起来像这样:
input { beats { port => 5044 } } filter { grok { match => { "message" => "%{INT:id} %{INT:device} %{QUOTEDSTRING:device_name} %{INT:input} %{QUOTEDSTRING:input_name} %{INT:state} %{QUOTEDSTRING:on_phrase} %{QUOTEDSTRING:off_phrase} \"%{TIMESTAMP_ISO8601:when}\"" } } } output { elasticsearch { hosts => "elasticsearch:9200" manage_template => false index => "sample-%{????????}" } }同样,我不清楚我应该如何处理
"sample-%{????????}"
[使用Grok Debuger,我试图解析一些自定义数据:1 1“设备1” 1“输入1” 0“打开”“关闭”“ 2020-01-01T00:00:00.1124303 + 00:00”到目前为止,我有:%{INT:id}%{INT:device}%{QUOTEDSTRING:...
关于双引号:只需使用DATA而不是QUOTEDSTRING: