忽略神交日志的端部

Question

我是新与神交和logstash我有与空间这样

1477879888.908 728 486704579 TCP_REFRESH_UNMODIFIED/304 254 GET http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index - HIER_DIRECT/91.189.88.162 - 

我只是想填料我的日志，只有这部分，而忽略其他分隔的日志文件部分

1477879888.908 728 486704579 TCP_REFRESH_UNMODIFIED/304 254 GET http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index 

忽略其他部分（我只想7个空格分隔数据和其他数据ignoree

Answer 1

您可以使用此神交模式。

%{BASE10NUM:number1}%{SPACE}%{INT:number2}%{SPACE}%{INT:number3}%{SPACE}%{WORD:msg}/%{INT:number4}%{SPACE}%{INT:number5}%{SPACE}%{WORD:protocol}%{SPACE}%{URI:action} 

输入

1477879888.908 728 486704579 TCP_REFRESH_UNMODIFIED/304 254 GET http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index - HIER_DIRECT/91.189.88.162 - 

输出

number1  477879888.908 
number2  728 
port  
number5  254 
number4  304 
msg   TCP_REFRESH_UNMODIFIED 
action  http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index 
protocol GET 
number3  486704579 

然后可以合并msg和number4获得一个新的领域tcpMsg。最后删除msg,number4和port。

mutate { 
    add_field => { 
    "tcpMsg" => "%{msg}/%{number4}" 
    } 
    remove_field => ["msg", "number4","port"] 
} 

希望这会有所帮助。