stackoom
  简体   繁体   中英

Logstash, how to use grok patterns coming from event data

 原文  2018-01-11 16:14:27       kubernetes/ logstash/ elastic-stack/ logstash-grok

Question

I have an ELK stack deployed on kubernetes used to collect containers' data. Among all the rest, it is using a grok filter to parse the actual log line based on a pattern.

My wish is to be able to setup this pattern by using an annotation in the kubernetes pod.

I added an annotation called elk-grok-pattern in the pod , configured filebeat in order to forward the annotation and I can get the annotation value as a field in my event in logstash , so far so good.

The problem is that I am unable to use the value of my field as a grok pattern .

The annotation in my pod looks like this: 

Annotations:    elk-grok-pattern=%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:status} %{NUMBER:response_time}

The filter I am trying to use is similar to the following: 

filter {
  # create a new field called "elk-grok-pattern" from the pod annotation
  mutate {
        rename => { "[kubernetes][annotations][elk-grok-pattern]" => "elk-grok-pattern" }
  }

  grok {
    pattern_definitions => {
      "CUSTOM" => "%{elk-grok-pattern}"
    }
    match => { "log" => "%{CUSTOM}" }
  }
}

Unluckily this leads to an error: 

Pipeline aborted due to error {:pipeline_id=>"main", :exception=>#<Grok::PatternError: pattern %{elk-grok-pattern} not defined>

In practice, grok is interpreting my pattern literally, and not evaluating the string content coming from the event.

I also tried using the pattern directly, withoud defining a pattern_definition, like this: 

grok {
  match => { "log" => "%{elk-grok-pattern}" }
}

But I get the same exact error.

Is there a way to accomplish my goal? Any advice or possible workaround would be very appreciated.

1 answers

solution1
 0  2018-01-11 16:26:36

If you don't wish to use this pattern in other places, why not just use it in the match like this? 

grok {
  match => { "log" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:status} %{NUMBER:response_time}" }
}

If you want to use it later in other filters, check out this page on pattern creation:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html#setting_patterns_dir

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to connect logstash from logstash? Logstash output is from another input How to ship logs from pods on Kubernetes running on top of GCP to elasticsearch/logstash? Where are these kubernetes healthchecks coming from? How to deploy logstash with persistent volume on kubernetes? How to differentiate between RAM and heap usage in logstash? how to establish connectivity between filebeat running on a linux based VM and logstash running in kubernetes(logstash exposed through ingress) How does this Dockerfile actually run logstash without an entrypoint or cmd? How to declare multiple output.logstash in single filebeat DaemonSet in kubernetes? In K8S, how to use data from existed secret when creating new secret?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM