Grok过滤器在调试器中工作,但在logstash中不工作
[英]Grok filter working in debuger but not in logstash
问题描述
我正在尝试将时间标记从源日志文件转换为@timestamp字段,以使其在Kibana中轻松创建仪表板。
尝试使用TIMESTAMP_ISO8601并且还使用单独的日期字段,例如%{MONTHNUM}等。
它不断失败...
filter {
if "MyApplicationLogfile" in [source] {
grok {
match => {"message" => "%{IP:hostip}\s\-\s\-\s%{TIMESTAMP_ISO8601:time}\s%{GREEDYDATA:content}"}
tag_on_failure => [ "timestampgrokfail" ]
}
date {
match => [ "time", "yyyy-MM-dd HH:mm:ssZZZZ" ]
target => "@timestamp" }
}
}
输入为:
10.44.38.25 - - 2019-08-22 14:32:25+0200 "GET /ssm/sso/keepalive HTTP/1.0" 200 12 0 "-" "-" "-"
在Kibana中,它显示标签timestampgrokfail和@timestamp没有填充正确的值吗?
1 个解决方案
解决方案1
0 2019-08-23 13:45:13
该grok过滤器在7.3.0中为我解析了该消息。 但是,日期过滤器应具有ZZ,而不是ZZZZ
input { generator { count => 1 lines => [ '10.44.38.25 - - 2019-08-22 14:32:25+0200 "GET /ssm/sso/keepalive HTTP/1.0" 200 12 0 "-" "-" "-"' ] } }
filter {
grok {
match => {"message" => "%{IP:hostip}\s\-\s\-\s%{TIMESTAMP_ISO8601:time}\s%{GREEDYDATA:content}"}
tag_on_failure => [ "timestampgrokfail" ]
}
date {
match => [ "time", "yyyy-MM-dd HH:mm:ssZZ" ]
target => "@timestamp"
}
}
让我
"hostip" => "10.44.38.25",
"content" => "\"GET /ssm/sso/keepalive HTTP/1.0\" 200 12 0 \"-\" \"-\" \"-\"",
"time" => "2019-08-22 14:32:25+0200",
"@timestamp" => 2019-08-22T12:32:25.000Z,
Logstash grok过滤器,调试器可以,但是logstash解析失败
[英]Logstash grok filter, debugger OK but failure in logstash parsing
为自定义时间格式创建 Logstash 输入和 grok 过滤器
[英]Creating Logstash input and grok filter for a custom time format
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.