堆栈内存溢出
  简体   繁体   English

消息字段的Logstash grok匹配模式

[英]Logstash grok match pattern for message field

 原文  2015-07-10 11:47:17       regex/ logstash/ logstash-grok

问题描述

my log data is like, 我的日志数据就像

在文件中记录消息 .

There are total 4 lines are there(Starting from Date with Time). 共有4行(从日期到时间开始)。

My grok pattern is: 我的骗子模式是: 

grok { 
match => { "message" => "%{TIMESTAMP_ISO8601:time} \[%{NUMBER:thread}\] %{LOGLEVEL:loglevel} %{JAVACLASS:class} - %{GREEDYDATA:msg} " } }

Problem is: 问题是:

I am getting only some data of msg (GREEDYDATA) filed. 我只收到一些味精 (GREEDYDATA)数据。

EX: 例如:

Below data is missing when the 4th line parsing 第四行解析时缺少以下数据

遗漏数据

log is : 日志是: 

2015-01-31 15:58:57,400 [9] ERROR NCR.AKPOS.Enterprise_Comm.EventSender - EventSender.SendInvoice() Generate Message Error: System.ArgumentNullException: Value cannot be null.
Parameter name: value
   at System.Xml.Linq.XAttribute..ctor(XName name, Object value)
   at NCR.AKPOS.Enterprise_Comm.MessageHandlerObjecttoXMLHelper.CreateXMLFromInvoice(Invoice invoice, Customer_ID customer_id

2 个解决方案

解决方案1
 2  2015-07-10 12:08:00

Log stash typically parses each line at a time. 日志存储通常一次解析每一行。 For java exceptions you need to look at the multiline plugin . 对于Java异常,您需要查看multiline插件 See an example here: https://gist.github.com/smougenot/3182192 在此处查看示例: https//gist.github.com/smougenot/3182192

Your grok format seems ok, but without an example cannot be tested. 您的grok格式似乎还可以,但没有示例无法测试。 You can use the grok debugger app to test out your patterns. 您可以使用grok调试器应用程序测试您的模式。 https://grokdebug.herokuapp.com/ https://grokdebug.herokuapp.com/

解决方案2
 1  2015-07-14 08:37:03

Just remove the trailing white spaces from %{GREEDYDATA:msg} " } to %{GREEDYDATA:msg}"} 只需从%{GREEDYDATA:msg} " }%{GREEDYDATA:msg}"}删除尾随空格

So, total filter configuration is: 因此,总的过滤器配置为: 

filter {
multiline{
        pattern => "^%{TIMESTAMP_ISO8601}"
        what => "previous"
        negate=> true
    }
# Delete trailing whitespaces
  mutate {
    strip => "message"
  }
# Delete \n from messages
mutate {
    gsub => ['message', "\n", " "]
}

# Delete \r from messages
mutate {
    gsub => ['message', "\r", " "]
}
grok { 
  match => { "message" => "%{TIMESTAMP_ISO8601:time} \[%{NUMBER:thread}\] %{LOGLEVEL:loglevel} %{JAVACLASS:class} - %{GREEDYDATA:msg}" } 
}
if "Exception" in [msg] {
 mutate {
  add_field => { "msg_error" => "%{msg}" }
}
}
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Logstash grok模式可过滤自定义日志消息 - Logstash grok pattern to filter custom Log message logstash / grok 模式文件 - logstash / grok pattern file 匹配带有前缀和后缀的字符串使用Logstash grok模式 - Match string with prefix and suffix use Logstash grok pattern 如何在grok(logstash)中将模式“ a = bc = d”与顺序更改进行匹配? - How to match a pattern of “a=b c=d” with changing order in grok (logstash)? Logstash grok多行消息 - Logstash grok multiline message 带双引号的Logstash Grok模式 - Logstash Grok pattern with double quotes 发送到 logstash 的日志的 Grok 模式 - Grok pattern for logs sent to logstash 具有多个匹配项的Logstash Grok模式 - Logstash Grok pattern with multiple matches Logstash grok 过滤器 apache 模式 - Logstash grok filter apache pattern 找不到logstash grok过滤器模式 - logstash grok filter pattern not found
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM