在Logstash中创建自定义grok模式
[英]Creating a custom grok pattern in Logstash
问题描述
I'm trying to add a custom pattern to Logstash in order to capture data from this kind of log line: 
我正在尝试向Logstash添加自定义模式,以便从这种日志行捕获数据:
[2017-11-27 12:08:22] production.INFO: {"upload duration":0.16923}
I followed the instructions on Logstash guide for grok and created a directory called patterns with a file in it called extra that contain: 我按照Logstash指南中grok的说明进行操作,并创建了一个名为patterns的目录,其中包含一个名为extra的文件,其中包含:
POSTFIX_UPLOAD_DURATION upload duration
and added the path to the config file: 并将路径添加到配置文件:
grok {
patterns_dir => ["./patterns"]
match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}\] %{POSTFIX_UPLOAD_DURATION: upload_duration} %{DATA:log_env}\.%{LOGLEVEL:severity}: %{GREEDYDATA:log_message}" }
}
However, I'm getting this error message: 但是,我收到此错误消息:
Pipeline aborted due to error {:exception=>#<Grok::PatternError: pattern %{POSTFIX_UPLOAD_DURATION: upload_duration} not defined>
Also, some log lines don't contain the 'upload duration' field, will this break the pipeline? 另外,某些日志行不包含“上载持续时间”字段,这会中断管道吗?
2 个解决方案
解决方案1
0 2017-11-29 05:25:35
您可以使用相对目录,只要它们相对于进程开始的当前工作目录,而不是conf文件或Logstash本身。
解决方案2
0 2017-11-30 10:46:35
I found out that there is better and more efficint way to capture data using the json plugin. 我发现,使用json插件可以更好,更有效地捕获数据。
I've add "log_payload:" in my logs and insert the data I need to capture in a json object. 我在日志中添加了“ log_payload:”,并将需要捕获的数据插入到json对象中。 Then I've used this pipeline to capture it. 然后,我使用了该管道来捕获它。
if ("log_payload:" in [log_message]) {
grok{
match => {"log_message" => 'log_payload:%{DATA:json_object}}%{GREEDYDATA}'}
}
mutate{
update => ["json_object", "%{[json_object]}}"]
}
json {
source => "json_object"
}
}
mutate {
remove_field => ["log_message", "json_object"]
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.