Logstash grok模式可过滤自定义日志消息
[英]Logstash grok pattern to filter custom Log message
问题描述
I am new to logstash and I want to filter fileds from log message. 
我是Logstash的新手,我想从日志消息中过滤文件。 Here is log message: 这是日志消息:
[2015-03-16 13:12:05,130] INFO - LogMediator ServiceName = TestService_v1,SystemDate = 3/16/15 1:12 PM,ServerIP = 127.0.1.1,ServerHost = Inspiron-3521,SequenceName = Validation,Message = Going to Validate Request ,MessageCode = null,ErrorMessage = null,ErrorDetail = null,ErrorException = null
From above log message I want to extract all fields, like ServiceName, SystemDate, SequenceName etc. What will be the grok pattern or Regex for this log message? 从上面的日志消息中,我想提取所有字段,例如ServiceName,SystemDate,SequenceName等。此日志消息的grok模式或正则表达式是什么?
Any help would be appreciated. 任何帮助,将不胜感激。
1 个解决方案
解决方案1
1 2015-03-23 12:38:36
you could first split your message in three parts (timestamp, loglevel and the remainding logdata) using: 您可以先使用以下方式将消息分为三个部分(时间戳,日志级别和其余日志数据):
\[%{TIMESTAMP_ISO8601:timestamp}\]\s+%{WORD:loglevel}\s+-\s+%{GREEDYDATA:logData}
You could then apply the csv filter to the logdata field like so: 然后,您可以将csv过滤器应用于logdata字段,如下所示:
csv {
columns => ["serviceName","systemDate","serverIP","serverHost","sequenceName","message","messageCode","errorMessage","errorDetail","errorException"]
separator => ","
}
This will split your logData after each , So you would get a new field named message containing the text "Message = Going to Validate Request" You could now edit the individual fields for instance you could extract the actual message using the following grok filter: 这将在每次之后分割logData,因此您将获得一个名为message的新字段,其中包含文本“ Message =要验证请求”。您现在可以编辑各个字段,例如,可以使用以下grok过滤器提取实际消息:
Message = %{GREEDYDATA:messageText}
I've found it very helpful to use the grok debugger to work out the individual grok patterns: http://grokdebug.herokuapp.com/ 我发现使用grok调试器找出各个grok模式非常有帮助: http ://grokdebug.herokuapp.com/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.