使用 grok 过滤以从多行中提取数据
filter to extract data from multiple lines using grok
我是 logstash 的新手,我正在尝试找到模式以从此日志消息中提取数据,我在 filebeat.yml 中启用模式以从日期读取到下一次出现的日期。
2018-05-21 14:49:12
Mode:Managed Frequency:2.457 GHz Access Point: 88:D7:F6:68:C1:78
Bit Rate=144.4 Mb/s Tx-Power=22 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
link Quality=65/70 Signal level=-45 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:217 Missed beacon:0
grok{
timeout_millis => 60000
match=>["message", "%{TIMESTAMP_ISO8601:mytimestamp}%{SPACE:ip}%{GREEDYDATA:val}%{SPACE:ip}%{GREEDYDATA:val}%{SPACE:ip}%{GREEDYDATA:val}%{SPACE:ip}%{GREEDYDATA:val}%{SPACE:ip}%{GREEDYDATA:val}%{SPACE:ip}%{GREEDYDATA:val}(?<powerlevel>(?<=Signal level\=).*?(\s))"]
}
这给出了 _groktimeout
filter {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:mytimestamp}",
"message", "(?<powerlevel>(?<=Signal level\=).*?(\s))"]
}
这只给出了时间戳
请有人帮我从这个日志中获取时间戳和信号级别
您还需要匹配日期和信号级别之间的数据。这可以使用 GREEDYDATA 模式来完成。此外,您还需要匹配所有空格和 \n 个字符。
看看下面的,
%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}(?m)%{GREEDYDATA:irrelevant_data}Signal level=%{NUMBER:Signal level}
它将匹配日期和 Signal level,
输出,
{
"YEAR": [
[
"2018"
]
],
"MONTHNUM": [
[
"05"
]
],
"MONTHDAY": [
[
"21"
]
],
"TIME": [
[
"14:49:12"
]
],
"HOUR": [
[
"14"
]
],
"MINUTE": [
[
"49"
]
],
"SECOND": [
[
"12"
]
],
"irrelevant_data": [
[
"\nMode:Managed Frequency:2.457 GHz Access Point: 88:D7:F6:68:C1:78 \nBit Rate=144.4 Mb/s Tx-Power=22 dBm \nRetry short limit:7 RTS thr:off Fragment thr:off\nPower Management:on\nlink Quality=65/70 "
]
],
"Signal": [
[
"-45"
]
],
"BASE10NUM": [
[
"-45"
]
]
}
你的 grok 过滤器将变成,
filter {
grok {
match => ["message", "%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}(?m)%{GREEDYDATA:irrelevant_data}Signal level=%{NUMBER:Signal level}"]
}
}
我是 logstash 的新手,我正在尝试找到模式以从此日志消息中提取数据,我在 filebeat.yml 中启用模式以从日期读取到下一次出现的日期。
2018-05-21 14:49:12
Mode:Managed Frequency:2.457 GHz Access Point: 88:D7:F6:68:C1:78
Bit Rate=144.4 Mb/s Tx-Power=22 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
link Quality=65/70 Signal level=-45 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:217 Missed beacon:0
grok{
timeout_millis => 60000
match=>["message", "%{TIMESTAMP_ISO8601:mytimestamp}%{SPACE:ip}%{GREEDYDATA:val}%{SPACE:ip}%{GREEDYDATA:val}%{SPACE:ip}%{GREEDYDATA:val}%{SPACE:ip}%{GREEDYDATA:val}%{SPACE:ip}%{GREEDYDATA:val}%{SPACE:ip}%{GREEDYDATA:val}(?<powerlevel>(?<=Signal level\=).*?(\s))"]
}
这给出了 _groktimeout
filter {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:mytimestamp}",
"message", "(?<powerlevel>(?<=Signal level\=).*?(\s))"]
}
这只给出了时间戳 请有人帮我从这个日志中获取时间戳和信号级别
您还需要匹配日期和信号级别之间的数据。这可以使用 GREEDYDATA 模式来完成。此外,您还需要匹配所有空格和 \n 个字符。
看看下面的,
%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}(?m)%{GREEDYDATA:irrelevant_data}Signal level=%{NUMBER:Signal level}
它将匹配日期和 Signal level,
输出,
{
"YEAR": [
[
"2018"
]
],
"MONTHNUM": [
[
"05"
]
],
"MONTHDAY": [
[
"21"
]
],
"TIME": [
[
"14:49:12"
]
],
"HOUR": [
[
"14"
]
],
"MINUTE": [
[
"49"
]
],
"SECOND": [
[
"12"
]
],
"irrelevant_data": [
[
"\nMode:Managed Frequency:2.457 GHz Access Point: 88:D7:F6:68:C1:78 \nBit Rate=144.4 Mb/s Tx-Power=22 dBm \nRetry short limit:7 RTS thr:off Fragment thr:off\nPower Management:on\nlink Quality=65/70 "
]
],
"Signal": [
[
"-45"
]
],
"BASE10NUM": [
[
"-45"
]
]
}
你的 grok 过滤器将变成,
filter {
grok {
match => ["message", "%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}(?m)%{GREEDYDATA:irrelevant_data}Signal level=%{NUMBER:Signal level}"]
}
}