Logstash和Grok过滤器故障
[英]Logstash and Grok filter failure
问题描述
My log file has a single line (taken from the tutorial log file): 
我的日志文件只有一行(来自教程日志文件):
55.3.244.1 GET /index.html 15824 0.043
My conf file looks something like this: 我的conf文件看起来像这样:
input {
file {
path => "../http.log"
type => "http"
}
}
filter {
grok {
type => "http"
match => [ "message", "%{IP:client}" ]
}
}
I tested my grok filter with the grok debugger and it worked. 我用grok调试器测试了我的grok过滤器,它正常工作。 I'm at a loss of what I am doing wrong. 我不知道自己在做什么错。 I get a [0] "_grokparsefailure" every time 每次我得到[0]“ _grokparsefailure”
1 个解决方案
解决方案1
2 2014-11-21 20:14:25
As far as debugging a grok filter goes, you can use this link ( http://grokdebug.herokuapp.com/ ) It has a very comprehensive pattern detector which is a good start. 就调试grok过滤器而言,您可以使用此链接( http://grokdebug.herokuapp.com/ )。它具有非常全面的模式检测器,这是一个很好的开始。
If you only care about the IP and not the remainig part of the log message, following filter should work for you. 如果您只关心IP,而不关心日志消息的其余部分,则以下过滤器将为您工作。
%{IP:host} %{GREEDYDATA:remaining_data}
The best method to debug is use, stdin and stdout plugins for logstash and debug your grok patterns. 调试最好的方法是使用stdin和stdout为logstash和调试你的插件grok模式。
You can find the documentation here http://logstash.net/docs/1.4.2/ 您可以在这里找到文档http://logstash.net/docs/1.4.2/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.