如果语句不适用于 grok 过滤器 logstash
[英]If statement not working on grok filter logstash
问题描述
Problem
问题
I'm trying to learn logstash and parsing grok with conditional statement.我正在尝试使用条件语句学习 logstash 和解析 grok。 The logs succesfully parsed outside if statement, but nothing parsed inside the statement.日志在 if 语句外部成功解析,但在语句内部没有解析任何内容。 Seems like grok not reading the expression.似乎 grok 没有阅读表达式。
target目标
[2020-01-09 08:32:46] VERBOSE[18962][C-0000ceae] pbx.c: Executing [s@macro-dialout-trunk:26] NoOp("PJSIP/3513-0001108e", "Dial failed for some reason with DIALSTATUS = BUSY and HANGUPCAUSE = 19") in new stack
filter
{
grok
{
match =>
{
"message" => "\[%{TIMESTAMP_ISO8601:log_timestamp}\] +(?<log_level>(?i)(?:debug|notice|warning|error|verbose|dtmf|fax|security)(?-i))\[%{INT:thread_id}\](?:\[%{DATA:call_thread_id}\])? %{DATA:module_name}\: %{WORD:action}\s\[%{DATA:TARGET}@%{DATA:dialplan_context}:%{DATA:dialplan_priority}\]\s%{GREEDYDATA:log_message}"
}
add_field => ["receiver_timestamp", "%{@timestamp}"]
add_field => ["process_name","asterisk_failed"]
}
if [action] == "Executing" and [dialplan_priority]=="1"{
grok
{
match =>
{
"log_message"=>"%{DATA:asterisk_app}\(\"%{DATA:protocol}\/%{DATA:EXT}\-%{DATA:channel}\"\,\s\"%{DATA:problem1}\-\s%{DATA:problem2}\"\)\s%{GREEDYDATA:all}"
}
}
}
if [action] == "Executing" and [dialplan_priority]=="26"{
grok
{
match =>
{
"log_message"=>"%{DATA:asterisk_app}\(\"%{DATA:protocol}\/%{DATA:EXT}\-%{DATA:channel}\"\,\s\"%{DATA:problem1}\sand\s%{DATA:problem2}\"\)\s%{GREEDYDATA:all}"
}
}
}
}
I've tested (by myself) my grok filter and it works well.我已经(自己)测试了我的 grok 过滤器,它运行良好。 Are there some stuff that needed to be imported so i can use conditional expression?是否有一些需要导入的东西,以便我可以使用条件表达式?
2 个解决方案
解决方案1
0 2020-01-21 08:00:19
尝试改变条件,如:
if "Executing" in [action] { logic }
解决方案2
0 2020-01-23 06:37:45
尝试将条件更改为
if [action] =~ "Executing" and [dialplan_priority] =~"1"{ logic }
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.