问题
I am using LogStash which accepts data from a log file, which has different types of logs.
I tried this:
filter {
grok {
match => { "message" => "%{WORD:tag} %{WORD:message} %{WORD:value}
}
}
But it doesn't work.
回答1:
I am using the grok filter to check if the log line is of one format.
If the grok filter cannot parse the log line (such as with the json lines), _grokparsefailure will be added to the tags. You can then use this tag to differentiate between the two log type.
filter {
grok {
match => {
"message"=>
"tag: %{GREEDYDATA:tag} message: %{GREEDYDATA:message} value: %{WORD:value}"
}
}
if "_grokparsefailure" in [tags] {
json {
source => message
}
}
}
To test your grok pattern, Grok Constructor is a good tool.
来源:https://stackoverflow.com/questions/39034834/how-to-use-regex-for-config-files-in-this-use-case