我试图从 logstash 1.repositories#create 2.\"repo\":\"username/reponame\" 的此输出中仅 grep 几个字段。请分享您的想法以 grep 此输出中的特定信息并将其分配给另一个变量
"消息" => "<190>11 月 1 日 20:35:15 10-254-128-66 github_audit: {\"actor_ip\":\"192.168.1.1\",\"from\":\"repositories# create\",\"actor\":\"myuserid\",\"repo\":\"username/reponame\",\"action\":\"staff.repo_route\",\"created_at\": 1516286634991,\"repo_id\":44743,\"actor_id\":1033,\"data\":{\"actor_location\":{\"location\":{\"lat\":null,\"lon \“:空值}}}}”,
我正在使用这个 syslog.conf 文件来获取输出。
input {
tcp {
port => 8088
type => syslog
}
udp {
port => 8088
type => syslog
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp}"
}
grep {
match => { "message" => "repositories#create" }
}
}
}
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
}
我无法为您的回复添加我的评论,非常感谢您的回复。
您能否分享您的想法以获取用户名:和 repo:仅从此输出中,我正在尝试从该特定输出中分配值,再次感谢
消息:"github_audit: {"actor_ip":"192.168.1.1","from":"repositories#create","actor":"username","repo":"username/logstashrepo","user":"username ","created_at":1416299104782,"action":"repo.create","user_id":1033,"repo_id":44744,"actor_id":1033,"data":{"actor_location":{"location": {"lat":null,"lon":null}}}}",@version:"1",@timestamp:"2014-11-18T08:25:05.427Z",主机:"15-274-145- 63”,类型:“syslog”,syslog5424_pri:“190”,时间戳:“Nov 18 00:25:05”,actor_ip:“10.239.37.185”,来自:“repositories#create”,actor:“username”,repo :“用户名/logstashrepo”,用户:“用户名”,created_at:1416299104782,操作:“repo.create”,user_id:1033,repo_id:44744,actor_id:1033,