堆栈内存溢出
  简体   繁体   English

Logstash grok 过滤器调试

[英]Logstash grok filter debugging

 原文  2020-11-06 20:45:53       yaml/ logstash/ elastic-stack/ logstash-grok/ logstash-configuration

问题描述

Please help, I'm trying to add grok filter in my Logstash pipeline which will convert below logline请帮忙,我正在尝试在我的 Logstash 管道中添加 grok 过滤器,它将在日志行下方转换

2020-11-06 12:57:43,854 INFO Bandwidth: NASDAQ:224.0.130.65:30408 0.000059 Gb/S

to

{
  "ts": [
    [
      "2020-11-06 12:57:43,854"
    ]
  ],
  "YEAR": [
    [
      "2020"
    ]
  ],
  "MONTHNUM": [
    [
      "11"
    ]
  ],
  "MONTHDAY": [
    [
      "06"
    ]
  ],
  "HOUR": [
    [
      "12",
      null
    ]
  ],
  "MINUTE": [
    [
      "57",
      null
    ]
  ],
  "SECOND": [
    [
      "43,854"
    ]
  ],
  "ISO8601_TIMEZONE": [
    [
      null
    ]
  ],
  "loglevel": [
    [
      "INFO"
    ]
  ],
  "Metric": [
    [
      "Bandwidth"
    ]
  ],
  "Chanel": [
    [
      "NASDAQ:224.0.130.65:30408"
    ]
  ],
  "Data": [
    [
      "0.000059 Gb/S"
    ]
  ]
}

and below is my grok filter下面是我的 grok 过滤器

input{
  beats{
    port => "5044"
  }
}

filter{
  if "Bandwidth" in [message]{
    grok{
      match => {"message" => "%{TIMESTAMP_ISO8601:ts} %{LOGLEVEL:loglevel} %{WORD:Metric}: (?<Chanel>[A-Z]+:[0-9]+.[0-9]+.[0-9]+.[0-9]+:[0-9]+)"}
    }
  }
}

output{
  elasticsearch{
    hosts => [ "localhost:9200" ]
  }
}

This filter works perfectly fine when I try it in Grok debugger but not in Logstash when viewed in Kibana.当我在 Grok 调试器中尝试时,这个过滤器工作得非常好,但在 Kibana 中查看时在 Logstash 中却没有。 I don't see any name captures from filter.我没有看到过滤器中的任何名称捕获。 Just the message.只是消息。 If I remove the regex part of filter and add GREEDYDATA, everything works.如果我删除过滤器的正则表达式部分并添加 GREEDYDATA,则一切正常。 I'm sure I'm doing something wrong in Regex part.我确定我在 Regex 部分做错了什么。

1 个解决方案

解决方案1
 1  2020-11-06 22:56:12

Your regex pattern is correct and does give the expected filter output.您的正则表达式模式是正确的,并且确实提供了预期的过滤器输出。 Refresh your index pattern in Kibana or try re-ingesting the data.在 Kibana 中刷新您的索引模式或尝试重新摄取数据。

Although, I do not think you need to use regex if the channel pattern is going to be like Some Data:IP Address:Port虽然,如果通道模式将类似于 Some Data:IP Address:Port,我认为您不需要使用正则表达式

Try below pattern试试下面的模式

grok{
      match => { "message" => ["%{TIMESTAMP_ISO8601:ts} %{LOGLEVEL:loglevel} %{WORD:Metric}: (?<Channel>%{DATA}:%{HOSTPORT}) (?<Data>%{GREEDYDATA})"]}
    }

Logstash output will be Logstash 输出将是

{
            "ts" => "2020-11-06 12:57:43,854",
        "Metric" => "Bandwidth",
    "@timestamp" => 2020-11-06T22:47:20.383Z,
      "loglevel" => "INFO",
          "host" => "e7c15acec470",
          "Data" => "0.000059 Gb/S",
       "Channel" => "NASDAQ:224.0.130.65:30408",
      "@version" => "1",
       "message" => "2020-11-06 12:57:43,854 INFO Bandwidth: NASDAQ:224.0.130.65:30408 0.000059 Gb/S"
}

Try using stdout output along with elasticsearch so you can see what logstash is outputting to elastic.尝试将 stdout 输出与 elasticsearch 一起使用,以便您可以查看 logstash 输出到 elastic 的内容。

output{
      stdout { codec => rubydebug }
    }

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在 Yaml 文件中使用正则表达式进行 Logstash 翻译过滤器? - How to use regex in Yaml file for Logstash Translate filter? LogStash 配置问题 - LogStash Configuration issue django grok YML? django没有加载夹具YML文件(yml不是已知的序列化) - Does django grok YML ? django not loading fixtures YML file (yml is not a known serialization) 调试 AML Model 部署 - Debugging AML Model Deployment Logstash 中的“预期为#, =&gt;”是什么意思? - What does “Expected one of #, =>” in Logstash mean? 在管道中使用 if 语句时出现 Logstash 错误 - Logstash error when using if statement in pipeline Symfony过滤器不起作用 - Symfony Filter not working jinja2 中的过滤器或映射 - Filter or map in jinja2 为了调试目的,使 Azure 管道阶段失败的最简单方法是什么 - What is the easiest way to make Azure pipeline stage fail for debugging purposes Ansible默认过滤器 - Ansible default filter
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM