问题[logstash]

有这个日志：

<30>Jun 8 16:47:02 oem-virtual-machine dbus-daemon[668]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'

我正在尝试这样做： 1）如果有单词成功或例如失败，则在该字段中写下第一个或第二个单词。我不明白如何使用正则表达式来做到这一点。此外，例如，带有空格：在一个日志中有一个额外的空间，在另一个日志中它是完全相同的，不。它们不再不同，但需要使用单个正则表达式对其进行解析。

2) 'org.freedesktop.nm_dispatcher' 行。如果是，则将其写在某个字段中。如果不是，那么仍然会解析日志，并且不会在任何地方写入任何内容。

到目前为止，我只写了这个：

%{MONTH}\s\s%{MONTHDAY}\s%{TIME}\s%{HOSTNAME:[alertix][host]}\s%{NOTSPACE:[alertix][process][name]}:\s%{NOTSPACE}\s(Successfully|Failure)

大家好，告诉我这段代码是否正确：

if [type] == "" or [type] == "" or [type] == ""

如果不是，在这种情况下可以使用哪些枚举运算符，在 if 块中，对所有带有 type 标签的对象进行检查，对象如下所示

file {
type => "runstatus12"
path => "C:/BuildAgent2/work/baef4ea7e758f5b8/dms-selenium-tests/TestSelenium/bin/Debug/runStatus.log"
mode => "tail"
start_position => "beginning"
codec => plain { charset => "Windows-1251" }
sincedb_path => "nul"}

在此先感谢，
文件的整个代码如下所示：

input {
  elasticsearch {
    user => "logstash_internal"
    password => "12341234"
  }
  file {
    type => "pikautotesttc"
    path => "C:/BuildAgent/work/baef4ea7e758f5b8/dms-selenium-tests/TestSelenium/bin/Debug/Logs/**/*.log*"
    mode => "tail"
    start_position => "beginning"
    codec => plain { charset => "Windows-1251" }
    sincedb_path => "nul"
  }
  file {
    type => "runstatus"
    path => "C:/BuildAgent/work/baef4ea7e758f5b8/dms-selenium-tests/TestSelenium/bin/Debug/runStatus.log"
    mode => "tail"
    start_position => "beginning"
    codec => plain { charset => "Windows-1251" }
    sincedb_path => "nul"
  }
  file {
    type => "pikautotesttc12"
    path => "C:/BuildAgent2/work/baef4ea7e758f5b8/dms-selenium-tests/TestSelenium/bin/Debug/Logs/**/*.log*"
    mode => "tail"
    start_position => "beginning"
    codec => plain { charset => "Windows-1251" }
    sincedb_path => "nul"
  }
  file {
    type => "runstatus12"
    path => "C:/BuildAgent2/work/baef4ea7e758f5b8/dms-selenium-tests/TestSelenium/bin/Debug/runStatus.log"
    mode => "tail"
    start_position => "beginning"
    codec => plain { charset => "Windows-1251" }
    sincedb_path => "nul"
  }
}

filter {
  elasticsearch {
    user => "logstash_internal"
    password => "12341234"
  }
  fingerprint {
    source => "message"
    target => "[@metadata][fingerprint]"
    method => "MD5"
    key => "pik"
  }
  if [type] == "runstatus" or [type] == "runstatus12" 
  {
    grok {
        match => {
        "message" => "%{DATESTAMP:date}\s+%{WORD:loglevel}\s+(\[\d+\])?\s+:\s*Сценарий - (?<scenario>.*?)(?=\;)\;\sссылка на контракт - (?<positionUrl>.*)(?=\;)\; попытка \((?<attempt>\d)\/5\) - (?<status>.*)(?=\;)\;\s?(?<screenshot>(.*)?)"
        }
      }
      date {
      match => ["date", "yy-MM-dd HH:mm:ss,SSS"]
      target => "@timestamp"
    }
  }
  if [type] == "pikautotesttc" or [type] == "pikautotesttc12"
  {
      if "URL:" in [message]
    {
      grok {
        match => {
        "message" => "%{DATESTAMP:logdate}\s+%{WORD:loglevel}\s+(\[\d+\])?\s+:\s*%{GREEDYDATA:msgbody}(?= URL: )?( URL: )%{GREEDYDATA:url}(?=\.)\.( User: )?%{GREEDYDATA:user}"
        }
      }
    }
    else
    {
     grok {
        match => {
          "message" => "%{DATESTAMP:logdate}\s+%{WORD:loglevel}\s+(\[\d+\])?\s+:\s*%{GREEDYDATA:msgbody}"
        }
      }
    }
    grok {
      match => { 
        "msgbody" => [
          "Test (?<status>[^&]*)",
          "Время выполнения (контракта|теста) \(первая попытка\): (?<duration>\d+.\d+)"
        ]
      }
      match => {
        "path" => "log\.?(?<attempt>\d)"
      }
      break_on_match => false
    }
    date {
      match => ["logdate", "yy-MM-dd HH:mm:ss,SSS"]
      target => "@timestamp"
    }
    mutate {
      convert => {
        "duration" => "float"
      }
    }
  }
}

output {
  elasticsearch {
    hosts => "localhost:9200"
    manage_template => true
    index => "logstash-%{type}"
    document_id => "%{[@metadata][fingerprint]}"
    user => "logstash_internal"
    password => "12341234"
  }
}