search

childe / hangout

用java实现一下Logstash的几个常用input/filter/output, 希望能有效率上面的大提升. 现在我们迁移到golang了 https://github.com/childe/gohangout
MIT License
503 stars 181 forks source link

求指导一下,想提取 [ ] 里面的内容, 这种数据怎么用grok分割,参考了logstash的写法,没效果 #162

Open mad1230 opened 4 years ago

mad1230 commented 4 years ago

"[2020-07-17T09:21:22,629][INFO ][index.search.slowlog.query] [xxx] [xxx][4] took[753.7ms], took_millis[753], total_hits[1600383], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[990], source[{"size":500,"query":{"bool":{"must":[{"match_all":{"boost":1.0}},{"bool":{"should":[{"match_phrase":{"check_type":{"query":"4","slop":0,"zero_terms_query":"NONE","boost":1.0}}},{"match_phrase":{"check_type":{"query":"6","slop":0,"zero_terms_query":"NONE","boost":1.0}}}],"adjust_pure_negative":true,"minimum_should_match":"1","boost":1.0}},{"range":{"@timestamp":{"from":null,"to":null,"include_lower":true,"include_upper":true,"boost":1.0}}}],"adjust_pure_negative":true,"boost":1.0}},"version":true,"_source":{"includes":[],"excludes":[]},"stored_fields":"","docvalue_fields":["@timestamp","create_time"],"script_fields":{},"sort":[{"@timestamp":{"order":"desc","unmapped_type":"boolean"}}],"aggregations":{"2":{"date_histogram":{"field":"@timestamp","time_zone":"Asia/Shanghai","interval":"1d","offset":0,"order":{"_key":"asc"},"keyed":false,"min_doc_count":1}}},"highlight":{"pre_tags":["@kibana-highlighted-field@"],"post_tags":["@/kibana-highlighted-field@"],"fragment_size":2147483647,"fields":{"":{}}}}], "

childe commented 4 years ago

说一下你想要啥效果呢?

mad1230 commented 4 years ago

就是上面那段文本,想要达到这样的效果 { "log_time":"2020-07-17T09:21:22,629", "level":"INFO", "indexType":"index.search.slowlog.query" } 相当于把 [ ] 中括号里面的内容提取出来结构化成这种样子,能不能帮个忙给个示范,学习一下

childe commented 4 years ago

[%{TIMESTAMP_ISO8601:log_time}][%{LOG_LEVEL:level}\s*][%{DATA:indexType] 大概这样吧