请问logstash grok怎么匹配有时候有值和无值字段,怎么可以只写一个匹配能把下面三种全部给匹配到,而不是写三种匹配。
日志是
1、<134>1 2020-02-18T11:36:07Z CP5200 CheckPoint 30481 - [action:\"Detect\"; flags:\"313600\"; ifdir:\"outbound\"; ifname:\"eth1\"; loguid:\"{0x5e4ba2e0,0xa,0x290410ac,0xc0000001}\"; origin:\"172.16.4.1\";
2、<134>1 2020-02-18T11:36:07Z CP5200 CheckPoint 30481 - [action:\"Detect\"; flags:\"313600\"; ifdir:\"outbound\"; ifname:\"eth1\"; origin:\"172.16.4.1\";
3、<134>1 2020-02-18T11:22:53Z CP5200 CheckPoint 30481 - [action:\"Accept\"; flags:\"411908\"; ifdir:\"inbound\"; ifname:\"eth2\"; logid:\"0\"; loguid:\"{0x5e4bc90d,0x5,0x290410ac,0xc0000001}\"; origin:\"172.16.4.41\";
匹配
1、<%{INT:numberno}>%{INT:nonu}\s%{TIMESTAMP_ISO8601:logdate}\s%{NOTSPACE:cpname}\s%{NOTSPACE:checkpoint}\s%{NOTSPACE:zhuzi}\s- \[action:\\\"%{NOTSPACE:action}\\\"; flags:\\\"%{INT:flags}\\\"; ifdir:\\\"%{NOTSPACE:ifdir}\\\"; ifname:\\\"%{NOTSPACE:ifname}\\\"; loguid:\\\"%{NOTSPACE:loguid}\\\"; origin:\\\"%{IP:origin}\\\";
2、<%{INT:numberno}>%{INT:nonu}\s%{TIMESTAMP_ISO8601:logdate}\s%{NOTSPACE:cpname}\s%{NOTSPACE:checkpoint}\s%{NOTSPACE:zhuzi}\s- \[action:\\\"%{NOTSPACE:action}\\\"; flags:\\\"%{INT:flags}\\\"; ifdir:\\\"%{NOTSPACE:ifdir}\\\"; ifname:\\\"%{NOTSPACE:ifname}\\\"; origin:\\\"%{IP:origin}\\\";
3、<%{INT:numberno}>%{INT:nonu}\s%{TIMESTAMP_ISO8601:logdate}\s%{NOTSPACE:cpname}\s%{NOTSPACE:checkpoint}\s%{NOTSPACE:zhuzi}\s- \[action:\\\"%{NOTSPACE:action}\\\"; flags:\\\"%{INT:flags}\\\"; ifdir:\\\"%{NOTSPACE:ifdir}\\\"; ifname:\\\"%{NOTSPACE:ifname}\\\"; loguid:\\\"%{NOTSPACE:loguid}\\\"; origin:\\\"%{IP:origin}\\\";
日志是
1、<134>1 2020-02-18T11:36:07Z CP5200 CheckPoint 30481 - [action:\"Detect\"; flags:\"313600\"; ifdir:\"outbound\"; ifname:\"eth1\"; loguid:\"{0x5e4ba2e0,0xa,0x290410ac,0xc0000001}\"; origin:\"172.16.4.1\";
2、<134>1 2020-02-18T11:36:07Z CP5200 CheckPoint 30481 - [action:\"Detect\"; flags:\"313600\"; ifdir:\"outbound\"; ifname:\"eth1\"; origin:\"172.16.4.1\";
3、<134>1 2020-02-18T11:22:53Z CP5200 CheckPoint 30481 - [action:\"Accept\"; flags:\"411908\"; ifdir:\"inbound\"; ifname:\"eth2\"; logid:\"0\"; loguid:\"{0x5e4bc90d,0x5,0x290410ac,0xc0000001}\"; origin:\"172.16.4.41\";
匹配
1、<%{INT:numberno}>%{INT:nonu}\s%{TIMESTAMP_ISO8601:logdate}\s%{NOTSPACE:cpname}\s%{NOTSPACE:checkpoint}\s%{NOTSPACE:zhuzi}\s- \[action:\\\"%{NOTSPACE:action}\\\"; flags:\\\"%{INT:flags}\\\"; ifdir:\\\"%{NOTSPACE:ifdir}\\\"; ifname:\\\"%{NOTSPACE:ifname}\\\"; loguid:\\\"%{NOTSPACE:loguid}\\\"; origin:\\\"%{IP:origin}\\\";
2、<%{INT:numberno}>%{INT:nonu}\s%{TIMESTAMP_ISO8601:logdate}\s%{NOTSPACE:cpname}\s%{NOTSPACE:checkpoint}\s%{NOTSPACE:zhuzi}\s- \[action:\\\"%{NOTSPACE:action}\\\"; flags:\\\"%{INT:flags}\\\"; ifdir:\\\"%{NOTSPACE:ifdir}\\\"; ifname:\\\"%{NOTSPACE:ifname}\\\"; origin:\\\"%{IP:origin}\\\";
3、<%{INT:numberno}>%{INT:nonu}\s%{TIMESTAMP_ISO8601:logdate}\s%{NOTSPACE:cpname}\s%{NOTSPACE:checkpoint}\s%{NOTSPACE:zhuzi}\s- \[action:\\\"%{NOTSPACE:action}\\\"; flags:\\\"%{INT:flags}\\\"; ifdir:\\\"%{NOTSPACE:ifdir}\\\"; ifname:\\\"%{NOTSPACE:ifname}\\\"; loguid:\\\"%{NOTSPACE:loguid}\\\"; origin:\\\"%{IP:origin}\\\";
2 个回复
yang4210
赞同来自:
[a-z]* 就是0或者多个,比如abcd,或者空没有
[a-z]+ 就是1或者多,比如bbb,a,dd
[ ]+ 就是一个或者多个空格
*或者+就可以区分有时候有值和无值字段
kingen9 - IT
赞同来自: