For example, the data format is as follows:
dev="1235667" pri="6" dev_type="ddos_clean" recorder="ads" vsid="0" sub_type=attacklog dst_addr=1.1.1.1 zonename=1504152157558 grpname=test
Just get the contents of the sub_type field, skip all other, not match each field。Because the message data format is random, i can't use fixed filtering rules. How can I achieve this?
Use a kv filter and its include_keys option to ignore everything but the "sub_type" key.
Thank you, I know this way, but I don't know how to deal with grok. I only see that the grok can be processed one by one. I don't see how to implement the ignore skip processing.Do you know the method of grok?
If the message format is not key-value, can it only be processed with grok? I want to know how grok is implemented.
A grok expression is basically a regular expression so you can use wildcards to ignore the parts you're not interested in. The grok expression sub_type=%{WORD:subtype} will find a subtype anywhere in the input string and extract a field from it, but it will also find bogus string like "whatever_sub_type=foo" so some care is needed.
thank you ,i'm try again
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.