官方文檔:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html
基本語法:
%{SYNTAX:SEMANTIC}
SYNTAX:定義的正則表達式名字(系統插件自帶的默認位置:$HOME/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns)
SEMANTIC:匹配結果的標識
grok{
match=>{
"message"=>"%{IP:clientip}"
}
}
輸入結果
{
"message" => "192.168.1.1 abc",
"@version" => "1",
"@timestamp" => "2016-03-30T02:15:31.242Z",
"host" => "master",
"clientip" => "192.168.1.1"
}
clientip就是semantic
每個%{IP:clientip}表達式只能匹配到message中第一次出現的結果,可用如下方式匹配多個相同類型結果
%{IP:clientip}\s+%{IP:clientip1}...,如果SEMANTIC定義的相同名字,結果為數組形式,如:
{
"message" => "12.12.12.12 32.32.32.32",
"@version" => "1",
"@timestamp" => "2016-03-30T02:26:31.077Z",
"host" => "master",
"clientip" => [
[0] "12.12.12.12",
[1] "32.32.32.32"
]
}
自定義grok表達式
語法:(?<field_name>the pattern here)
eg:
grok{
match=>{
"message"=>"%{IP:clientip}\s+(?<mypattern>[A-Z]+)"
}
}
rs:
{
"message" => "12.12.12.12 ABC",
"@version" => "1",
"@timestamp" => "2016-03-30T03:22:04.466Z",
"host" => "master",
"clientip" => "12.12.12.12",
"mypattern" => "ABC"
}
創建自定義grok文件
在/home/hadoop/mylogstash/mypatterns_dir創建文件mypatterns_file,內容如下:
MY_PATTERN [A-Z]+
保存!
修改filter
grok{
patterns_dir=>["/home/hadoop/mylogstash/mypatterns_dir"]
match=>{
"message"=>"%{IP:clientip}\s+%{MY_PATTERN:mypattern}"
}
}
結果同上