发表新帖
发表新帖

logstash grok filter for logs with arbitrary attribute-value pairs

后端 未结
关注
1 1646
时光说笑
时光说笑 2020-12-11 21:39

(This is related to my other question logstash grok filter for custom logs )

I have a logfile whose lines look something like:

14:46:16.603 [http-nio
相关标签:
1条回答
  • 一整个雨季
    2020-12-11 22:08

    You can change your grok pattern like this to have all the key value pairs in one field (kvpairs):

    %{TIME:timestamp} %{NOTSPACE:http} %{WORD:loglevel}%{SPACE}%{WORD:logtype} - %{GREEDYDATA:kvpairs}

    Afterwards you can use the kv filter to parse the key value pairs.

    kv {
    source => "kvpairs"
    remove_field => [ "kvpairs" ] # Delete the field afterwards
}

    Unfortunately, you have some simple values inside your kv pairs (e.g. CREATE_JOB). You could parse them with grok and use one kv filter for the values before and another kv filter for the values after those simple values.

    0 讨论(0)
 看不清?
提交回复
热议问题