我有这样的消息要由grok过滤器解析:
"@timestamp":"2019-12-16T08:57:33.804Z","@version":"1","message":"[Optional[admin]] (0.0.0.0, 0.0.0.0|0.0.0.0) 9999 approve 2019-12-16T08:57:30.414732Z","logger_name":"com.company.asd.asd.web.rest.MyClass","thread_name":"XNIO-1 task-5","level":"INFO","level_value":20000,"app_name":"asd","instance_id":"asd-123","app_port":"8080","version":"0.0.1-SNAPSHOT"
我尝试http://grokdebug.herokuapp.com/解析我的日志,并编写了这样的正则表达式来做到这一点:
"@timestamp":"%{TIMESTAMP_ISO8601:logTime}","@version":"%{INT:version}","message":"[\D*[%{WORD:login}]] (%{IPV4:forwardedFor}\, %{IPV4:remoteAddr}\|%{IPV4:remoteAddr}) %{WORD:identificator} %{WORD:methodName} %{TIMESTAMP_ISO8601:actionaDate}%{GREEDYDATA:all}
似乎在此调试器中有效,但是当我尝试将此行添加到.conf文件中的过滤器中时,它编写的所有内容都是_grokparsefailure,而我的消息保持不变,我的过滤器:
filter {
grok {
match => { "message" => ""@timestamp":"%{TIMESTAMP_ISO8601:logTime}","@version":"%{INT:version}","message":"\[\D*\[%{WORD:login}]\] \(%{IPV4:forwardedFor}\, %{IPV4:remoteAddr}\|%{IPV4:remoteAddr}\) %{WORD:identificator} %{WORD:methodName} %{TIMESTAMP_ISO8601:actionaDate}%{GREEDYDATA:all}" }
}
}
最佳答案
试试下面的骗子,
filter {
grok {
match => { "message" => "\"@timestamp\":\"%{TIMESTAMP_ISO8601:logTime}\",\"@version\":\"%{INT:version}\",\"message\":\"\[\D*\[%{WORD:login}]\] \(%{IPV4:forwardedFor}\, %{IPV4:remoteAddr}\|%{IPV4:remoteAddr}\) %{WORD:identificator} %{WORD:methodName} %{TIMESTAMP_ISO8601:actionaDate}%{GREEDYDATA:all}" }
}
}
关于elasticsearch - 如何使用Logstash解析日志,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59354462/