通过 Logstash - Grok - ElasticSearch 标记日志
[英]Tagging the Logs by Logstash - Grok - ElasticSearch
问题描述
Summary:
概括:
I am using Logstash - Grok and elastic search and my main aim is to First accept the logs by logstash, parse them by grok and associate tags with the messages depending on the type of the log, and then finally feed it to the Elastic server to query with Kibana.我正在使用 Logstash - Grok 和弹性搜索,我的主要目标是首先通过 logstash 接受日志,通过 grok 解析它们并根据日志类型将标签与消息关联,然后最后将其提供给弹性服务器以用 Kibana 查询。
I have already written this code but am not able to get the tags in Elastic Search.我已经编写了此代码,但无法在 Elastic Search 中获取标签。 This is my logstash confif file.这是我的 logstash confif 文件。
input {
stdin {
type => "stdin-type"
}
}
filter {
grok {
tags => "mytags"
pattern => "I am a %{USERNAME}"
add_tag => "mytag"
named_captures_only => true
}
}
output {
stdout { debug => true debug_format => "json"}
elasticsearch {}
}
Where am I going wrong?我哪里错了?
2 个解决方案
解决方案1
3 2013-05-17 12:28:30
1) I would first start with editing your values to match the data type they represent. 1)我首先要编辑您的值以匹配它们代表的数据类型。 For example例如
add_tag => "mytag"
actually should have an array as it's value, not a simple string.实际上应该有一个数组作为它的值,而不是一个简单的字符串。 Change that to将其更改为
add_tag => ["mytag"]
as a good start.作为一个好的开始。 Double check all your values and verify they are of the correct type for logstash.仔细检查您的所有值并验证它们是正确的 logstash 类型。
2) You are limiting your grok filters to messages that are already tagged with "mytags" based on the config line 2)您将 grok 过滤器限制为已根据配置行标记为“mytags”的消息
tags => "mytags"
I don't see anywhere where you have added that tag ahead of time.我没有看到您提前添加了该标签的任何地方。 Therefore, none of your messages will even go through your grok filter.因此,您的任何消息都不会通过您的 grok 过滤器。
3) Please read the logstash docs carefully. 3) 请仔细阅读logstash 文档。 I am rather new to the Logstash/Grok/ES/Kibana etc. world as well, but I have had very similar problems to what you have had, and all of them were solved by paying attention to what the documentation says.我对 Logstash/Grok/ES/Kibana 等世界也很陌生,但我遇到了与您遇到的问题非常相似的问题,所有这些问题都通过注意文档的内容解决了。
解决方案2
2 2014-09-19 19:02:31
You can run LogStash by hand (You may already be doing this) with /opt/logstash/bin/logstash -f $CONFIG_FILE and can check that your config file is valid with /opt/logstash/bin/logstash -f $CONFIG_FILE --configtest I bet you're already doing that though.您可以使用/opt/logstash/bin/logstash -f $CONFIG_FILE手动运行 LogStash(您可能已经这样做了),并且可以使用/opt/logstash/bin/logstash -f $CONFIG_FILE检查您的配置文件是否有效/opt/logstash/bin/logstash -f $CONFIG_FILE --configtest我敢打赌你已经这样做了。
You may need to put your add_tag stanza into an array您可能需要将add_tag节放入一个数组中
grok {
...
add_tag => [ "mytag" ]
}
It could also be that what you're piping into STDIN isn't being matched in the grok pattern.也可能是您输入STDIN内容与 grok 模式不匹配。 If grok doesn't match is should result in _grokparsefailure being added to your tags.如果 grok 不匹配,则应将_grokparsefailure添加到您的标签中。 If you see those, it means your grok pattern isn't firing.如果您看到这些,则表示您的 Grok 模式未触发。
A better way to do this may be...更好的方法可能是……
input {
stdin {
type => 'stdin'
}
}
filter {
if [type] = 'stdin' {
mutate {
add_tag => [ "mytag" ]
}
}
}
output {
stdout {
codec => 'rubydebug'
}
}
This will add a "mytag" tag to all things coming from standard in, wether they're groked or not.这将为所有来自标准输入的东西添加一个"mytag"标签,无论它们是否被摸索。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.