堆栈内存溢出
  繁体   English   中英

Logstash grok筛选器无法解析消息

[英]Logstash grok filter does not parse message

 原文  2017-09-04 13:20:52       logstash/ logstash-grok/ logstash-configuration

问题描述

在grok中,调试器一切正常,但启动Logstash时无法解析。

日志行: 

# Time: 170904 10:16:01\n# User@Host: mmcite[mmcite] @ localhost []\n# Thread_id: 18712  Schema: mmcite  QC_hit: No\n# Query_time: 0.502068  Lock_time: 0.000030  Rows_sent: 0  Rows_examined: 1\n# Rows_affected: 1\nuse mmcite;\nSET timestamp=1504512961;\nUPDATE `ajedem456456` SET `id`='cotjo4mim2j7fp3ui2kit7gns6' WHERE id='pvueh0rm6l2meiguootdfqsan7';

过滤: 

grok {

    match => { "message" => "#%{SPACE}Time:%{SPACE}%{NUMBER}%{SPACE}%{TIME}(.|\n)*%{HOSTNAME}\[%{HOSTNAME:mysql_host}\]%{SPACE}@%{SPACE}localhost \[\](.|\n)*#%{SPACE}Thread_id:%{SPACE}%{NUMBER}%{SPACE}Schema:%{SPACE}%{WORD}%{SPACE}%{WORD}:%{SPACE}%{WORD}(.|\n)*#%{SPACE}Query_time:%{SPACE}%{BASE16FLOAT:mysql_query_time}%{SPACE}Lock_time:%{SPACE}%{BASE16FLOAT:mysql_lock_time}%{SPACE}Rows_sent:%{SPACE}%{NUMBER:mysql_rows_sent}%{SPACE}Rows_examined:%{SPACE}%{NUMBER:mysql_rows_examined}(.|\n)*%{SPACE}Rows_affected:%{SPACE}%{NUMBER:mysql_rows_affected}(.|\n)*%{WORD}%{SPACE}%{WORD};(.|\n)*SET%{SPACE}timestamp=%{NUMBER:timestamp};\\n%{GREEDYDATA:mysql_query}" }

}

输出: 

{
    "@timestamp" => 2017-09-04T13:08:06.260Z,
        "offset" => 3441,
      "@version" => "1",
    "input_type" => "log",
          "beat" => {
        "hostname" => "server.jerewan.cz",
            "name" => "server.jerewan.cz",
         "version" => "5.1.1"
    },
          "host" => "server.jerewan.cz",
        "source" => "/usr/home/admin/filebeat/mysql.slow.log",
       "message" => "# Time: 170904 10:16:01\n# User@Host: mmcite[mmcite] @ localhost []\n# Thread_id: 18712  Schema: mmcite  QC_hit: No\n# Query_time: 0.502068  Lock_time: 0.000030  Rows_sent: 0  Rows_examined: 1\n# Rows_affected: 1\nuse mmcite;\nSET timestamp=1504512961;\nUPDATE `PAJKA` SET `id`='cotjo4mim2j7fp3ui2kit7gns6' WHERE id='pvueh0rm6l2meiguootdfqsan7';",
          "type" => "mysql_slow_log",
          "tags" => [
        [0] "beats_input_codec_plain_applied",
        [1] "_grokparsefailure"
    ]
}

非常感谢您的帮助。

1 个解决方案

解决方案1
 1 已采纳  2017-09-05 10:26:39

我不知道如何,但是它有效。 

grok {    
    match => { "message" => "#%{SPACE}Time:%{SPACE}%{NUMBER}%{SPACE}%{TIME}(.|\n)*%{HOSTNAME}\[%{HOSTNAME:mysql_host}\]%{SPACE}@%{SPACE}localhost \[\](.|\n)*#%{SPACE}Thread_id:%{SPACE}%{NUMBER}%{SPACE}Schema:%{SPACE}%{WORD}%{SPACE}%{WORD}:%{SPACE}%{WORD}(.|\n)*#%{SPACE}Query_time:%{SPACE}%{BASE16FLOAT:mysql_query_time}%{SPACE}Lock_time:%{SPACE}%{BASE16FLOAT:mysql_lock_time}%{SPACE}Rows_sent:%{SPACE}%{NUMBER:mysql_rows_sent}%{SPACE}Rows_examined:%{SPACE}%{NUMBER:mysql_rows_examined}(.|\n)*%{SPACE}Rows_affected:%{SPACE}%{NUMBER:mysql_rows_affected}(.|\n)*%{WORD}%{SPACE}%{WORD};(.|\n)*SET%{SPACE}timestamp=%{NUMBER:timestamp};(.|\n)%{GREEDYDATA:mysql_query}" }    
}

我已将( %{GREEDYDATA:mysql_query}之前的\\\\n替换为(.|\\n)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Logstash grok 过滤器 grok 解析失败 logstash grok filter-grok解析失败 使用Logstash Grok过滤器过滤系统日志消息 Logstash grok匹配过滤器的消息密钥是什么? logstash grok过滤器忽略消息的某些部分 grok过滤器如何在Logstash中工作 过滤Logstash不适用于Grok Debugger 用Logstash进行Grok解析失败 logstash grok解析网址 logstash:grok解析失败
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM