堆棧內存溢出
  簡體   English   中英

Logstash grok 過濾器 grok 解析失敗

[英]Logstash grok filter grok parse failure

 原文  2022-08-23 11:10:05       logstash/ grok

問題描述

我使用 Logstash 和 Filebeat 對其進行了配置。 我使用了 MongoDB output 插件。

我想像這樣在 mongoDB 中制作數據:

  {
    "_id": {"$oid": "62ea3197736a54952d56e2fe"},
    "category": "TEST",
    "date": "2022-08-03T17:28:07+09:00",
    "level": "WARNING",
    "message": "statistics_sales.go:136: sdb.FindUserByID, error:  mongo: no documents in result",
    "title": "statistics_sales"
  }

這是原始日志數據:

ERROR: 2022/08/16 13:27:42.292305 statistics_sales.go:136: sdb.FindUserByID, error:  mongo: no documents in result

所以我像這樣配置logstash.conf:

filter {
  grok {
    match => {
      "message" => "%{LOGLEVEL:level}: %{YEAR:year}/%{MONTHNUM:month}/%{MONTHDAY:day} %{TIME:time} %{GREEDYDATA:message}"
    }

    overwrite => [ "message" ]
  }

  grok {
    match => {
      "message" => "%{DATA:title}\.go%{GREEDYDATA}"
    }
  }

  grok {
    match => {
      "time" => "%{DATA:sec}\.%{GREEDYDATA}"
    }
  }

  grok {
    add_field => {
      "date" => "%{year}-%{month}-%{day}T%{time}+09:00"
    }
  }

  grok {
    remove_field => ["year", "month", "day", "time", "event", "@version", "agent", "host", "@timestamp", "ecs"]
  }
}

但是,我在 time(sec) 配置下遇到錯誤。

我嘗試了很多方法,但我找不到問題所在。

這是 Logstash 結果:

{
         "month" => "08",
         "input" => {
        "type" => "log"
    },
         "agent" => {
                "name" => "HOSTNAME",
             "version" => "8.3.3",
                  "id" => "8a97df17-1977-472f-b6f1-6c7a7359c372",
                "type" => "filebeat",
        "ephemeral_id" => "34333de9-c892-42a0-bc35-ee49a0f06721"
    },
           "log" => {
        "offset" => 575,
          "file" => {
            "path" => "/home/bjkang/LogCollector/Log/service_log_2022-08-23.log"
        }
    },
           "ecs" => {
        "version" => "8.0.0"
    },
         "title" => "statistics_sales",
    "@timestamp" => 2022-08-23T11:30:42.407Z,
          "time" => "13:27:42.293679",
           "sec" => "13:27:42",
          "host" => {
        "name" => "HOSTNAME"
    },
          "tags" => [
        [0] "_grokparsefailure"
    ],
      "@version" => "1",
       "message" => "statistics_sales.go:136: sdb.FindUserByID, error:  mongo: no documents in result",
           "day" => "16",
         "level" => "ERROR",
          "year" => "2022",
         "event" => {
        "original" => "ERROR: 2022/08/16 13:27:42.293679 statistics_sales.go:136: sdb.FindUserByID, error:  mongo: no documents in result"
    }
}

我能得到一些提示嗎?

1 個解決方案

解決方案1
 0  2022-08-23 13:17:12

我通過這樣設置解決了它:

filter {
  grok {
    match => {
      "message" => "%{LOGLEVEL:level}: %{YEAR:year}/%{MONTHNUM:month}/%{MONTHDAY:day} %{TIME:time} %{GREEDYDATA:message}"
    }

    overwrite => [ "message" ]
  }

  grok {
    match => {
      "message" => "%{DATA:title}\.go%{GREEDYDATA}"
    }
  }

  grok {
    match => {
      "time" => "%{DATA:hhmmss}\.%{GREEDYDATA}"
    }
  }
  mutate {
    add_field => {
      "date" => "%{year}-%{month}-%{day}T%{hhmmss}+09:00"
    }
  }

  prune {
    whitelist_names => ["level", "message", "title", "date", "@timestamp", "@version"]
  }
}

但是,我無法插入沒有元數據的文檔 [@timestamp, @version]

也許有人知道這一點,請評論:)

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 logstash grok filter-grok解析失敗 用Logstash進行Grok解析失敗 logstash:grok解析失敗 GROK分析Logstash失敗 Logstash和Grok過濾器故障 logstash grok,用 json 過濾器解析一行 Logstash grok篩選器無法解析消息 logstash grok解析網址 Logstash - 用 grok 解析數據 Logtash的grok過濾器
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM