我正在尝试在Elasticsearch上为以下基于JSON的自定义日志创建完整的GROK模式:
------------------------DEBUG----------------------------
Date : 2019-12-26 12:18:21,498
METHOD NAME: xyz
{
"methodName": "SMS_POOL_IN",
"Tran_Type": "Response",
"URL": "xyz.abcL",
"ApiResult": "Success",
"Date": "2019/12/26 12:18:21",
"ErrorCode": "00",
"ErrorReason": "Success",
"Msisdn": "9999999",
"CNIC": "99999999",
"RequestID": "1111",
"SR_TranID": "2222",
"Channel": "abc"
}
但是无论何时我解析它,我都只会从希腊人那里得到时间戳。
我正在使用grok调试器进行测试。每当我使用greedydata时,我只会得到第一个json参数,其余的都将被忽略,我在这里缺少什么吗?我如何才能从这些日志中找到一个骗子?任何帮助之手将不胜感激
我在下面创建了grok
%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}%{SPACE \s}%{GREEDYDATA.*}
并由此获得以下结果。
{
"GREEDYDATA": [
[
"------------------------DEBUG----------------------------",
"Date : 2019-12-26 12:18:21,498 ",
"METHOD NAME: xyz",
"{",
""methodName": "SMS_POOL_IN",",
""Tran_Type": "Response",",
""URL": "xyz.abcL",",
""ApiResult": "Success",",
""Date": "2019/12/26 12:18:21",",
""ErrorCode": "00",",
""ErrorReason": "Success",",
""Msisdn": "9999999",",
""CNIC": "99999999",",
""RequestID": "1111",",
""SR_TranID": "2222",",
""Channel": "abc"",
"} ",
"",
""
]
],
"SPACE": [
[
"\n",
"\n",
"\n",
"\n ",
"\n ",
"\n ",
"\n ",
"\n ",
"\n ",
"\n ",
"\n ",
"\n ",
"\n ",
"\n ",
"\n ",
"\n",
"",
""
]
]
}
我需要显示所有这些json标记,因为我需要将它们填充在ELK的单独标记中
我自己创建了grok,唯一的问题是我试图构建grok的语法。下面是上面要阅读的正确的grok语法]
%{TIMESTAMP_ISO8601:date_time}\s*%{GREEDYDATA:Method}\n%{GREEDYDATA:Bracket}\s*\"methodName\"\:\s\"%{DATA:methodName}\s*\"Tran_Type\"\:\s\"%{DATA:Tran_Type}\s*\"URL\"\:\s\"%{DATA:URL}\s*\"ApiResult\"\:\s\"%{DATA:ApiResult}\s*\"Date\"\:\s\"%{DATA:Date}\s*\"ErrorCode\"\:\s\"%{DATA:ErrorCode}\s*\"ErrorReason\"\:\s\"%{DATA:ErrorReason}\s*\"Message\"\:\s\"%{DATA:Message}\s*\"Msisdn\"\:\s\"%{DATA:Msisdn}\s*\"CNIC\"\:\s\"%{DATA:CNIC}\s*\"RequestID\"\:\s\"%{DATA:RequestID}\s*\"SR_TranID\"\:\s\"%{DATA:SR_TranID}\s*\"Channel\"\:\s\"%{DATA:Channel}\s
[首先,我获取时间戳,然后获取GREEDYDATA中json字符串之外的所有内容,然后使用DATA关键字分离json标签。
我假设您想将前三行分成3个单独的字段,并将其余的JSON字符串对象分为另一个字段。
我从这里复制了您的输入文本,所以每一行都以\n
结尾。这就是我的模式匹配元素。
让我知道output
是否需要更多解析等。>
我的具有grok
模式以解析输入的管道配置
input { http { } } filter { grok { match => { "message" => "(?<debug-string>[^\n]+)\n(?<date-string>[^\n]+)\n(?<method-name>[^\n]+)\n%{GREEDYDATA:RestOfIt}" } } mutate { remove_field => ["headers", "host", "@timestamp", "@version"] } } output { stdout { } }
输出
{“ 消息
” =>“ ------------------------ DEBUG --------------- ------------- \ n日期:2019-12-26 12:18:21,498 \ n方法名称:xyz \ n {\ n \“ methodName \”:\“ SMS_POOL_IN \”,\ n \“ Tran_Type \”:\“响应\”,\ n \“ URL \”:\“ xyz.abcL \”,\ n \“ ApiResult \”:\“成功\”,\ n \“日期\”: \“ 2019/12/26 12:18:21 \”,\ n \“ ErrorCode \”:\“ 00 \”,\ n \“ ErrorReason \”:\“成功\”,\ n \“ Msisdn \” :\“ 9999999 \”,\ n \“ CNIC \”:\“ 99999999 \”,\ n \“ RequestID \”:\“ 1111 \”,\ n \“ SR_TranID \”:\“ 2222 \”,\ n \“频道\”:\“ abc \” \ n}“,“ date-string
” =>“日期:2019-12-26 12:18:21,498”,“ 方法名称
” =>“方法名称:xyz”,“ RestOfIt
” =>“ {\ n \” methodName \“:\” SMS_POOL_IN \“,\ n \” Tran_Type \“:\”响应\“,\ n \” URL \“:\ “ xyz.abcL \”,\ n \“ ApiResult \”:\“成功\”,\ n \“ Date \”:\“ 2019/12/26 12:18:21 \”,\ n \“ ErrorCode \ “:\” 00 \“,\ n \” ErrorReason \“:\”成功\“,\ n \” Msisdn \“:\” 9999999 \“,\ n \” CNIC \“:\” 99999999 \“, \ n \“ RequestID \”:\“ 1111 \”,\ n \“ SR_TranID \”:\“ 2222 \”,\ n \“ Channel \”:\“ abc \” \ n}“,“ debug-string
” =>“ ------------------------ DEBUG ----------- -----------------“}