0

我有来自一个日志源的事件,它可以有几种已知的格式。举个例子

10:45 Today is Monday
11:13 The weather is nice
12:00 The weather is cloudy

我可以match通过

The weather is %{WORD:weather}
Today is %{WORD:weekday}

我还不习惯 logstash 的格式filter。为了考虑这些可能性中的每一种,我应该建立类似的东西

if message =~ "The weather is"
{
    grok {
        "match" => "The weather is %{WORD:weather}"
    }
}
if message =~ "Today is"
{
    grok {
    "match" => "Today is %{WORD:weekday}"
    }
}

还是有更紧凑的东西?(例如具有关联映射的事件的可能模式列表)

4

1 回答 1

0

我找到了一个解决方案:枚举模式:

filter {
        grok {
                match =>  { "message" => [ "hello %{WORD:who}", "the weather is %{WORD:weather}" ] }

                }
      }
于 2015-01-30T13:30:32.367 回答