elasticsearch - 如何使用logstash从log4j文件中过滤JSON数据?

标签 elasticsearch log4j logstash logstash-grok elastic-stack

我有一个如下的日志文件。

2014-12-24 09:41:29,383 INFO c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-4] in getCSRFToken
2014-12-24 09:41:29,383 DEBUG c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-4] CSRFToken set successfully.
2014-12-24 09:44:26,607 INFO c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-8] in getCSRFToken
2014-12-24 09:44:26,609 DEBUG c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-8] CSRFToken set successfully.
2014-12-26 09:55:28,399 INFO c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-9] in getCSRFToken
2014-12-26 09:55:28,401 DEBUG c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-9] CSRFToken set successfully.
2014-12-26 11:10:32,135 INFO c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-10] in getCSRFToken
2014-12-26 11:10:32,136 DEBUG c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-10] CSRFToken set successfully.
2014-12-26 11:12:40,500 INFO c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-7] in getCSRFToken
2014-12-26 11:12:40,501 DEBUG c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-7] CSRFToken set successfully.
2015-11-30 16:21:09,145 INFO c.t.t.s.a.i.AnalyticsServiceImpl.captureHit [http-bio-8080-exec-9] EnquiryDetails : {"createdTime":1448880669029,"modifiedTime":null,"active":true,"deleted":false,"deletedOn":-1,"guid":null,"uuid":null,"id":130771,"instanceId":130665,"pos":"","channel":"Web","flightNo":"TWBL2DL2","orig":"BLR","dest":"DEL","cabCls":"ECONOMY","logCls":"Y","noOfPaxs":1,"scheduleEntryId":130661,"travelDateTime":[2015,12,1,21,30],"enquiryDateTime":[2015,11,30,16,21,9,23000000]}

您会注意到最后一行包含一些JSON数据
我正在尝试配置Logstash以提取此JSON数据
以下是我的logstash配置文件:
input {  
  file {
    path => "C:/Users/TESTER/Desktop/files/test1.log" 
    type => "test"
        start_position => "beginning" 
  }
}


filter {  
  grok {
    match => [ "message" , "timestamp : %{DATESTAMP:timestamp}", "severity: %{WORD:severity}", "clazz: %{JAVACLASS:clazz}", "selco: %{NOTSPACE:selco}", "testerField: (?<ENQDTLS>EnquiryDetails :)"]

       }
}


output {
    elasticsearch {
        hosts => "localhost"
        index => "test1"
    }
    stdout {}
}

但这是我的logstash输出:
C:\logstash-2.0.0\bin>logstash -f test1.conf
io/console not supported; tty will not be manipulated
Default settings used: Filter workers: 2
Logstash startup completed
2016-01-08T08:02:02.029Z TW 2014-12-24 09:41:29,383 INFO c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-4] in getCSRFToken
2016-01-08T08:02:02.029Z TW 2014-12-24 09:44:26,607 INFO c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-8] in getCSRFToken
2016-01-08T08:02:02.029Z TW 2014-12-24 09:44:26,609 DEBUG c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-8] CSRFToken set successfully.
2016-01-08T08:02:02.029Z TW 2014-12-26 09:55:28,399 INFO c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-9] in getCSRFToken
2016-01-08T08:02:02.029Z TW 2014-12-26 09:55:28,401 DEBUG c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-9] CSRFToken set successfully.
2016-01-08T08:02:02.029Z TW 2014-12-26 11:10:32,135 INFO c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-10] in getCSRFToken
2016-01-08T08:02:02.029Z TW 2014-12-26 11:10:32,136 DEBUG c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-10] CSRFToken set successfully.
2016-01-08T08:02:02.029Z TW 2014-12-24 09:41:29,383 DEBUG c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-4] CSRFToken set successfully.
2016-01-08T08:02:02.029Z TW 2014-12-26 11:12:40,500 INFO c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-7] in getCSRFToken
2016-01-08T08:02:02.029Z TW 2015-11-30 16:21:09,145 INFO c.t.t.s.a.i.AnalyticsServiceImpl.captureHit [http-bio-8080-exec-9] EnquiryDetails : {"createdTime":1448880669029,"modifiedTime":null,"active":true,"deleted":false,"deletedOn":-1,"guid":null,"uuid":null,"id":130771,"instanceId":130665,"pos":"","channel":"Web","flightNo":"TWBL2DL2","orig":"BLR","dest":"DEL","cabCls":"ECONOMY","logCls":"Y","noOfPaxs":1,"scheduleEntryId":130661,"travelDateTime":[2015,12,1,21,30],"enquiryDateTime":[2015,11,30,16,21,9,23000000]}
2016-01-08T08:02:02.029Z TW 2014-12-26 11:12:40,501 DEBUG c.t.t.a.c.LoginController.getCSRFToken [http-bio-8080-exec-7] CSRFToken set successfully.

有人可以告诉我我在这里做错了吗。谢谢

最佳答案

您没有说自己遇到的“错误”,而是假设您担心输出中缺少字段。

首先,在stdout {}输出节中使用rubydebug或json编解码器。它将向您显示更多详细信息。

其次,看起来您的骗子{}都被搞砸了。 grok {}接受一个输入字段和一个或多个正则表达式以应用于该输入。您正在给它输入(“消息”),但是这个正则表达式:

 "timestamp : %{DATESTAMP:timestamp}"

与您输入的内容不匹配,因为您没有文字字符串“timestamp:”。

您需要更多类似的东西:
 "%{DATESTAMP} %{WORD:severity}" (etc)

我建议设置一个grok {}节,以提取所有常用信息(包括[]的所有内容)。然后,使用另一个来处理不同类型的消息。

关于elasticsearch - 如何使用logstash从log4j文件中过滤JSON数据?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/34674623/

上一篇:elasticsearch - Elasticsearch 中集群节点中的重复数据

下一篇:elasticsearch - Elasticsearch 部分更新

相关文章:

lucene - Elasticsearch : when to set omit_norms option as false

java - 多个 log4j 实例配置

java - 如何在 Spring Bean 中获取 Mules Logger 实例?

elasticsearch - 即使在logstash.conf中配置了文档ID,也没有在ElasticSearch中设置文档ID

ruby - Logstash:输出到Elasticsearch会导致Ruby出错,但可与stdout一起使用

c# - ElasticSearch简单示例不起作用C#

elasticsearch - 使用bool而不是不使用 Elasticsearch 查询

python - Python 2.7:为什么json.loads无法将我的字符串正确转换为dict?

java - Spring Boot : "Cannot set level: INFO, ERROR for ' org. springframework'"使用 logback-spring.xml

Logstash如何安装

©2024 IT工具网  联系我们