从输入文件路径logstash提取字段？ [英] Extracting fields from input file path logstash?

问题描述

我想从各种目录中读取我的日志文件，例如： Server1，Server2 ...

I want to read my log files from various directories, like: Server1, Server2...

Server1 在这些子目录中有 cron，auth ...的子目录是日志文件。

Server1 has subdirectories as cron, auth...inside these subdirectories is the log file respectively.

所以我正在考虑读这样的文件：

So I am contemplating of reading files like this:

input{
         file{            
                                     #path/to/folders/server1/cronLog/cron_log

                             path => "path/to/folders/**/*_log"
            }
    }

但是，我有困难过滤它们，即知道哪个服务器（ Server1 ）和logtype（ cron ），我必须应用 grok 模式：

However, I am having difficulty in filtering them i.e to know that for which server (Server1) and logtype (cron), I must apply the grok pattern:

例如：我想这样做

if [path] =~ "auth"{

grok{
            match => ["message", ***patteren****]
        }
    }else if [path] =~ "cron"{
        grok{
            match => ["message", ***pattern***]
        }

c $ c> cron 是用于日志文件（不是cronLog目录）。
但是像这样我还要过滤服务器名称，因为每个服务器都会有 cron ，<$

Above cron is for log file (not cronLog directory). But like this I also want to filter on server name as every server will have cron, auth,etc logs.

如何过滤？

是否有一种方法从输入中的 path 获取目录名称？喜欢这里

Is there a way to grab directory names from path in input ?? Like from here

path => "path/to/folders/**/*_log"

任何帮助是赞赏？

推荐答案

它非常直接，几乎完全像我的其他答案...你使用grok然后你可以做任何你想要的东西。

its very straight forward, and almost exactly like in my other answer... you use the grok on the path to extract the pieces out that you care about and then you can do whatever you want from there

filter {
   grok { "path", "path/to/here/(?<server>[^/]+)/(?<logtype>[^/]+)/(?<logname>.*) }
   if [server] == "blah" && [logtype] =~ "cron" {
       grok { "message", "** pattern **" }
   }
}

这篇关于从输入文件路径logstash提取字段？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！