如何使用grok转换logstash中的日志
[英]How to use grok to convert log in logstash
问题描述
Here is my log format: 
这是我的日志格式:
TIME|HOST-IP|REQUEST-ID|UID|USERNAME|USER-AGENT|METHOD|URI|CONTROLLER-METHOD|PARAMS-MAP|RESPONSE-CODE
And, log looks like: 并且,日志看起来像:
2016-11-12 21:02:45.878|192.168.31.205|368284310235387-20|1|wangziyi|Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36|GET|/api/v1|com.didi.km.api.controller.api.v1.IndexController#index[1 args]|{"hi":["asd"]}|200
2016-11-12 21:02:46.100|192.168.31.205|368284310235387-21|1|wangziyi|Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36|GET|/api/v1|com.didi.km.api.controller.api.v1.IndexController#index[1 args]|{"hi":["asd"]}|200
2016-11-12 21:02:46.389|192.168.31.205|368284310235387-22|1|wangziyi|Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36|GET|/api/v1|com.didi.km.api.controller.api.v1.IndexController#index[1 args]|{"hi":["asd"]}|200
2016-11-12 21:02:46.507|192.168.31.205|368284310235387-23|1|wangziyi|Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36|GET|/api/v1|com.didi.km.api.controller.api.v1.IndexController#index[1 args]|{"hi":["asd"]}|200
Logstash version is 5.0.0, Log was send by Filebeat on server. Logstash版本是5.0.0,日志是通过Filebeat在服务器上发送的。
My logstash config is: 我的logstash配置为:
input {
beats {
port => "5043"
}
}
filter {
grok {
match => { "message" => "%{WORD:time}|%{IP:hostIP}|%{WORD:requestId}|%{NUMBER:uid:int}|%{WORD:username}|%{WORD:method}|%{URIPATHPARAM:uri}|%{WORD:cont
rollerMethod}|%{WORD:params}" }
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => [ "10.94.66.193:9200" ]
}
}
But, I just get the message field only: 但是,我只得到消息字段:
{
"@timestamp" => 2016-11-12T13:02:48.607Z,
"offset" => 31831,
"@version" => "1",
"input_type" => "log",
"beat" => {
"hostname" => "localhost",
"name" => "localhost",
"version" => "5.0.0"
},
"host" => "localhost",
"source" => "logs/km-access.2016-11-12.log",
"time" => "2016",
"message" => "2016-11-12 21:02:46.507|192.168.31.205|368284310235387-23|1|wangziyi|Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36|GET|/api/v1|com.didi.km.api.controller.api.v1.IndexController#index[1 args]|{\"hi\":[\"asd\"]}|200",
"type" => "log",
"tags" => [
[0] "beats_input_codec_plain_applied"
]
}
Is there some issue in my config code ? 我的配置代码中有问题吗?
1 个解决方案
解决方案1
0 2016-11-12 15:46:41
use the follow pattern to match this log: 使用以下模式匹配此日志:
%{TIMESTAMP_ISO8601}\|%{IP}\|(?<requestID>\d+-\d+)\|%{INT:uid}\|%{WORD:username}\|(?<ua>(\w|\/|\.|\s|\(|;|\)|,)+)\|%{WORD:method}\|(?<uri>(\w|\/)+)\|(?<controllerMethod>(\w|\d|\s|\.|#|\[|\])+)\|(?<param>(\w|{|}|"|\:|\[|\])+)\|%{NUMBER:statusCode}\
And, thanks https://grokdebug.herokuapp.com/ 而且,谢谢https://grokdebug.herokuapp.com/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
使用grok将日志文件名添加为logstash中的字段 - Use grok to add the log filename as a field in logstash
如何使用grok和logstash从日志中提取值 - How to extract value from log with grok and logstash
如何使用Grok在Logstash中解析日志字符串? - How to parse a log string in Logstash using Grok?
Grok 用于日志文件 Logstash - Grok for log files Logstash
如何使用自定义Logstash grok模式? - How to use custom Logstash grok patterns?
如何使用Logstash过滤作为哈希值的消息 - How to use logstash to grok the message which is a hash
如何在logstash的grok模式中使用IF ELSE条件 - How to use IF ELSE condition in grok pattern in logstash
在Logstash Grok模式中使用?> - Use of ?> in Logstash Grok patterns
Logstash Grok筛选器访问日志 - Logstash Grok Filter Access Log
用于自定义日志的Logstash筛选器Grok - Logstash Filter Grok for custom log
相关标签