【发布时间】:2016-10-18 22:31:33
【问题描述】:
我正在尝试解析我有 2 个我想使用 logstash 解析的 URI 的日志。
使用此输入(2 个 URI 以空格分隔):
https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html?toto https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns
我想得到以下文件:
{
"source": {
"URI" : "https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html?toto",
"URIPROTO" : "https",
"URIHOST": "www.elastic.co",
"URIPATHPARAM": "/guide/en/logstash/current/plugins-filters-grok.html?toto",
...
},
"destination" : {
"URI" : "https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns",
"URIPROTO" : "https",
"URIHOST": "github.com",
"URIPATHPARAM": "/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns",
...
}
}
我一直在尝试使用这个 grok 过滤器:
%{URI:source} %{URI:destination}
但我得到以下结果,其中源和目标信息(URIPROTO,URIHOST...)在我的文档根节点的数组中合并:
{
"source": [
"https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html?toto"
],
"URIPROTO": [
"https",
"https"
],
...
"URIHOST": [
"www.elastic.co",
"github.com"
],
"IPORHOST": [
"www.elastic.co",
"github.com"
],
"HOSTNAME": [
"www.elastic.co",
"github.com"
],
"IP": [
null,
null
],
...
"destination": [
"https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns"
]
}
有没有人遇到过这种情况并找到解决方案? 提前感谢您的帮助!
【问题讨论】:
-
请发布您的 Logstash 配置。然后我们可以从那里开始。
-
似乎您显示的输出来自 grok 调试器,默认情况下,它将显示所有捕获(即使是那些未“命名”到字段中的捕获)。
标签: elasticsearch logstash logstash-grok