【发布时间】:2019-12-16 10:12:26
【问题描述】:
我有这样的消息要被 grok 过滤器解析:
"@timestamp":"2019-12-16T08:57:33.804Z","@version":"1","message":"[可选[管理员]] (0.0.0.0, 0.0.0.0|0.0.0.0) 9999 批准 2019-12-16T08:57:30.414732Z","logger_name":"com.company.asd.asd.web.rest.MyClass","thread_name":"XNIO-1 task-5","level":"INFO","level_value":20000,"app_name":"asd","instance_id":"asd-123","app_port":"8080","version":" 0.0.1-SNAPSHOT"
我尝试http://grokdebug.herokuapp.com/ 来解析我的日志,我写了这样的正则表达式来做到这一点:
"@timestamp":"%{TIMESTAMP_ISO8601:logTime}","@version":"%{INT:version}","message":"[\D*[%{WORD:login}]] (%{IPV4:forwardedFor}\, %{IPV4:remoteAddr}\|%{IPV4:remoteAddr}) %{WORD:标识符} %{WORD:methodName} %{TIMESTAMP_ISO8601:actionaDate}%{GREEDYDATA:all}
它似乎在这个调试器中工作,但是当我尝试将此行添加到 .conf 文件中的过滤器时,它写入的所有内容都是 _grokparsefailure 并且我的消息保持不变,我的过滤器:
filter {
grok {
match => { "message" => ""@timestamp":"%{TIMESTAMP_ISO8601:logTime}","@version":"%{INT:version}","message":"\[\D*\[%{WORD:login}]\] \(%{IPV4:forwardedFor}\, %{IPV4:remoteAddr}\|%{IPV4:remoteAddr}\) %{WORD:identificator} %{WORD:methodName} %{TIMESTAMP_ISO8601:actionaDate}%{GREEDYDATA:all}" }
}
}
【问题讨论】:
标签: elasticsearch logstash kibana logstash-grok elk