堆栈内存溢出
  简体   繁体   English

Logstash-grok使用消息以外的其他字段

[英]Logstash - grok use a field other than message

 原文  2014-09-15 05:55:01       log4j/ logstash

问题描述

I am receiving Log4j generated log files from remote servers using Logstash forwarder. 我正在使用Logstash转发器从远程服务器接收Log4j生成的日志文件。 The log event has fields including a field named "file" in the format /tomcat/logs/app.log, /tomcat/logs/app.log.1, etc. Of course file path /tomcat/logs is on the remote machine and I would like Logstash to create files on the local file system using only the file name and not use the remote file path. 日志事件中的字段包括格式为/tomcat/logs/app.log、/tomcat/logs/app.log.1等的名为“文件”的字段。当然,文件路径/ tomcat / logs在远程计算机上我希望Logstash仅使用文件名而不使用远程文件路径在本地文件系统上创建文件。

Locally, I would like to create a file based on file name app.log, app.log.1, etc. How can one accomplish this? 在本地,我想基于文件名app.log,app.log.1等创建一个文件。如何实现此目的?

I am unable to use grok since it appears to work only with "message" field and not others. 我无法使用grok,因为它似乎仅适用于“消息”字段,而不适用于其他字段。

Example Log Event: 示例日志事件:

{"message":["11 Sep 2014 16:29:04,934 INFO LOG MESSAGE DETAILS HERE "],"@version":"1","@timestamp":"2014-09-15T05:44:43.472Z","file":["/tomcat/logs/app.log.1"],"host":"aus-002157","offset":"3116","type":"app.log"} {“ message”:[“ 2014年9月11日16:29:04,934此处的信息日志消息详细信息”],“ @ version”:“ 1”,“ @ timestamp”:“ 2014-09-15T05:44:43.472Z”, “文件”:[ “/ Tomcat的/日志/ app.log.1”], “宿主”: “AUS-002157”, “偏移量”: “3116”, “类型”: “app.log”}

Logstash configuration - what do I use to write the filter section? Logstash配置-如何编写过滤器部分? 

input {
    lumberjack {
      port => 48080
      ssl_certificate => "/tools/LogStash/logstash-1.4.2/ssl/logstash.crt"
      ssl_key => "/tools/LogStash/logstash-1.4.2/ssl/logstash.key"
    }
}

filter{

}

output {

    file{
        #message_format => "%{message}"
        flush_interval => 0
        path => "/tmp/%{host}.%{type}.%{filename}"
        max_size => "4M"
    }
}

2 个解决方案

解决方案1
 3  2014-09-15 14:31:18

Figured out the pattern to be as follows: 得出的模式如下: 

grok{
    match => [ "file",  "^(/.*/)(?<filename>(.*))$" ]
}

Thanks for the help! 谢谢您的帮助!

解决方案2
 2 已采纳  2014-09-15 06:11:51

Logstash Grok can parse all the fields in a log event, not only message field. Logstash Grok可以解析日志事件中的所有字段,而不仅仅是message字段。

For example, you want to extract the file field, you can do like this 例如,您要提取file字段,可以这样 

filter {
   grok {
       match => [ "file", "your pattern" ]
   }
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 这个log4j日志的logstash grok过滤器应该是什么? - What should be the logstash grok filter for this log4j log? 用于在 Logstash 中处理 log4j 日志模式的 grok 过滤器 - grok filter for processing log4j logs pattern in Logstash 将特定MDC字段附加到logstash日志中 - Append specific MDC field into logstash log logstash:如何从log4j消息中提取数据? - logstash : how to extract data from log4j message? 我可以在Web应用程序中使用log4j而不使用log4j.xml或log4j.properties以外的文件吗? - Can I use log4j in a web app with a file other than log4j.xml or log4j.properties? 错误登录位置未指定 - error logged in location other than specified 除了perf4j中的时间分段之外,是否还有其他参数 - Is there any other parameter other than timeslicing in perf4j 与管道的log4j grok失败 - log4j grok with pipes fail 除了使用MaxBackupIndex之外,我们是否可以删除log4j中某些日期之前的日志 - Can we delete the logs older than certain days in log4j other than using MaxBackupIndex MDC除了Spring Boot App中的Filter以外均无效 - MDC is not Effective other than Filter in Spring Boot App
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM