堆棧內存溢出
  簡體   English   中英

Logstash JSON Grok 過濾器問題

[英]Logstash JSON Grok filter issue

 原文  2021-05-13 19:09:23       elasticsearch/ logstash/ grok

問題描述

我設置了 squid 代理以通過 Logstash 將 JSON 格式的日志發送到 Elastic。 我正在嘗試使用 GROK 過濾來解析日志。 該過濾器在 Kiabana Grok 調試器中工作,但當我重新啟動 Logstash 時抱怨以下錯誤

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:squid_logs,
 :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"
{\", \",\", \"]\" at line 10, column 62 (byte 137) after filter {\n  grok {\n    match => {\n 
       \"message\" => [ \"%{IPV4:vendor_ip}\", \"%{WORD:message}\"", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", 
"org/logstash/execution/AbstractPipelineExt.java:184:in `initialize'", 
"org/logstash/execution/JavaBasePipelineExt.java:69:in `initialize'", 
"/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", 
"/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", 
"/usr/share/logstash/logstash-core/lib/logstash/agent.rb:389:in `block in converge_state'"]}

我有以下 GROK 過濾器

"%{IPV4:vendor_ip}", "%{WORD:message}": "%{IPV4:clientip}", "%{WORD:message}": "%
{DATA:timestamp}", "%{WORD:message}": "%{WORD:verb}", "%{WORD:message}": "%{DATA:request}", "%
{WORD:message}": "%{URIPATHPARAM:path}"

在 Kibana Grok 調試器中,過濾器可以很好地處理如下消息:

{ "vendor_ip": "x.x.x.x", "clientip": "x.x.x.x", "timestamp": "2021-04-09T13:58:38+0000", 
"verb": "GET", "request": "https://domain", "path": "/somepath", "httpversion": "HTTP/1.1", 
"response": 200, "bytes": 2518042, "referer": "-", "useragent": "Microsoft BITS/7.8", 
"request_status": "HIER_DIRECT", "hierarchy_status": "HIER_DIRECT" }

Logstash 配置如下:

input {
  beats {
    port => 5045
  }
}

filter {
  grok {
    match => {
        "message" => [ "%{IPV4:vendor_ip}", "%{WORD:message}": "%{IPV4:clientip}", "%{WORD:message}": "%{DATA:timestamp}", "%{WORD:message}": "%{WORD:verb}", "%{WORD:message}": "%{DATA:request}", "%{WORD:message}": "%{URIPATHPARAM:path}" ]
    }
  }
}


output {
  elasticsearch {
    hosts => ["x.x.x.x:9200"]
    index => "squid_logs"
  }
}

1 個解決方案

解決方案1
 1 已采納  2021-05-13 19:36:17

使用 grok 過濾器解析 json 消息是錯誤的方法,沒有必要這樣做,而且工作量很大,因為您需要轉義消息中的所有雙引號,否則會出現配置錯誤,即你的情況。

使用json過濾器解析 json 消息

只需在您的管道中使用它:

filter {
    json {
        source => "message"
    }
}

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 Logstash Grok過濾器模式 Logstash grok過濾整數 使用grok的Logstash過濾器 Logstash Grok解析問題 如果語句不適用於 grok 過濾器 logstash Logstash grok 過濾器 apache 模式 用於自定義日志的Logstash篩選器Grok 自定義GROK過濾器-Logstash-> Elasticsearch 在logstash中使用grok解析多行JSON 如何在 Grok Logstash 中獲取 Json
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM