如何从 ansible_results 解析 logstash /grok 中的 json
How to parse json in logstash /grok from ansible_results
我有以下来自 ansible_results 的消息,我正在尝试解析这些消息,基本上我需要的是从以下消息中删除 "msg": 之后的字段。
日志示例:
2019-05-07 07:56:06,374 p=7743 u=root | fatal: [xxxxx]: FAILED! => {"changed": false, "msg": "The system may not be mirrored according to the xxxx default mirror policy."}
2019-05-07 07:56:06,402 python-logstash-logger TASK FAILED | fail | HOST | xxxxxxx | RESULT | {"changed": false, "msg": "The system may not be mirrored according to the xxx default mirror policy."}
我正在尝试执行以下操作,但没有想到要完成此操作:
%{TIMESTAMP_ISO8601:time} p=%{INT:process} u=%{USER:user}|%{SPACE}falal:%{SPACE}%{WORD:fatal}%{SPACE}%{UNIXPATH: FAILED*?}
期望:
将 msg 和 last message body 分成两个不同的字段..
msg The system may not be mirrored according to the xxxx default mirror policy.
任何专业知识帮助将不胜感激。
由于您有两种截然不同的日志类型,我使用了两种不同的 grok 模式:
grok{
match => [
"%{TIMESTAMP_ISO8601:time}.*p=%{INT:process} u=%{USER:user}.*%{WORD:result}! =>.*"msg": "%{GREEDYDATA:msg}"\}$",
"%{TIMESTAMP_ISO8601:time}.*\|.*\|%{SPACE}%{GREEDYDATA:Host}%{SPACE}\|.*\|.*\|.*"msg": "%{GREEDYDATA:msg}"\}$
]
}
第一个日志行的第一个模式:
process 7743
result FAILED
msg The·system·may·not·be·mirrored··according·to·the·xxxx·default·mirror·policy.
time 2019-05-07·07:56:06,374
user root
第二个日志行的第二个模式:
time 2019-05-07·07:56:06,402
Host HOST·
msg The·system·may·not·be·mirrored··according·to·the·xxx·default·mirror·policy.
我有以下来自 ansible_results 的消息,我正在尝试解析这些消息,基本上我需要的是从以下消息中删除 "msg": 之后的字段。
日志示例:
2019-05-07 07:56:06,374 p=7743 u=root | fatal: [xxxxx]: FAILED! => {"changed": false, "msg": "The system may not be mirrored according to the xxxx default mirror policy."}
2019-05-07 07:56:06,402 python-logstash-logger TASK FAILED | fail | HOST | xxxxxxx | RESULT | {"changed": false, "msg": "The system may not be mirrored according to the xxx default mirror policy."}
我正在尝试执行以下操作,但没有想到要完成此操作:
%{TIMESTAMP_ISO8601:time} p=%{INT:process} u=%{USER:user}|%{SPACE}falal:%{SPACE}%{WORD:fatal}%{SPACE}%{UNIXPATH: FAILED*?}
期望:
将 msg 和 last message body 分成两个不同的字段..
msg The system may not be mirrored according to the xxxx default mirror policy.
任何专业知识帮助将不胜感激。
由于您有两种截然不同的日志类型,我使用了两种不同的 grok 模式:
grok{
match => [
"%{TIMESTAMP_ISO8601:time}.*p=%{INT:process} u=%{USER:user}.*%{WORD:result}! =>.*"msg": "%{GREEDYDATA:msg}"\}$",
"%{TIMESTAMP_ISO8601:time}.*\|.*\|%{SPACE}%{GREEDYDATA:Host}%{SPACE}\|.*\|.*\|.*"msg": "%{GREEDYDATA:msg}"\}$
]
}
第一个日志行的第一个模式:
process 7743
result FAILED
msg The·system·may·not·be·mirrored··according·to·the·xxxx·default·mirror·policy.
time 2019-05-07·07:56:06,374
user root
第二个日志行的第二个模式:
time 2019-05-07·07:56:06,402
Host HOST·
msg The·system·may·not·be·mirrored··according·to·the·xxx·default·mirror·policy.