我有一个问题与Logstash翻译过滤器,找不到任何解决方案。我想创建一个字段的供应商名称,我采取前6个字符从源和目标mac和比较这些值与我的字典。过滤器片段:
if [source][mac] or [destination][mac] {
grok {
tag_on_failure => [ "vendorsmac_grok" ]
pattern_definitions => {
SRC_VENDOR => "^(?<[vendor][source][mac]>.{6}).+"
DST_VENDOR => "^(?<[vendor][destination][mac]>.{6}).+"
}
match => {
"[source][mac]" => "%{SRC_VENDOR}"
"[destination][mac]" => "%{DST_VENDOR}"
}
}
translate {
dictionary_path => "/etc/logstash/dictionary/mac_vendor.yml"
field => "[vendor][source][mac]"
destination => "[vendor][source][name]"
fallback => "unknown device SRC VENDOR"
add_tag => "Vendor_SRC_MAC"
}
translate {
dictionary_path => "/etc/logstash/dictionary/mac_vendor.yml"
field => "[vendor][destination][mac]"
destination => "[vendor][destination][name]"
fallback => "unknown device DST VENDOR"
add_tag => "Vendor_DST_MAC"
}
}当我的grok中有这两个匹配项时,translate只需要第二个匹配项,结果如下:
"vendor" => {
"destination" => {
"name" => "unknown device DST VENDOR",
"mac" => "9077EE"
}但是在我的事件中没有关于源MAC的信息,它被完全忽略了。
grok {
tag_on_failure => [ "vendorsmac_grok" ]
pattern_definitions => {
SRC_VENDOR => "^(?<[vendor][source][mac]>.{6}).+"
#DST_VENDOR => "^(?<[vendor][destination][mac]>.{6}).+"
}
match => {
"[source][mac]" => "%{SRC_VENDOR}"
#"[destination][mac]" => "%{DST_VENDOR}"
}
}我已正确解析[供应商][来源][名称]字段:
"vendor" => {
"source" => {
"name" => "Wistron",
"mac" => "54EE75"
}有人能告诉我这里出了什么问题吗?我面临着某种bug吗?在Logstash 7.10.2-1和7.17.2-1上测试。
1条答案
按热度按时间vlurs2pr1#
快速查看文档... grok中的选项
break_on_match默认设置为true。我将其更改为false,它工作了。为此我浪费了很多时间:D