Logstash 配置未編譯
[英]Logstash configuration not compiling
問題描述
我在多個服務器/應用程序上使用 filebeat,這些服務器/應用程序都提供給 logstash,我想使用 logstash 配置來解析一種特定類型的日志並應用 grok 模式,同時像往常一樣處理 rest。 這就是我所擁有的,但它不起作用。
input {
beats {
port => 5044
type => "log"
}
}
filter {
if [fields][type] == "transaction_router"{
}
grok {
break_on_match => false
match => { "message" => "%{DATE_US:date} %{TIME:timestamp},%{LOGLEVEL:loglevel} : %{DATA:component},%{DATA:log_level},\[%{DATA:chainCode}:%{DATA:storeCode}:%{DATA:terminalCode}:%{DATA:sequenceNumber}:%{DATA:userName}:%{DATA:clientTransactionID}]\[src=%{DATA:sourceUrl},fwd="%{DATA:forwardURL}",ses=%{DATA:session},ot=%{DATA:originalTransactionType},tt=%{DATA:currentTransactionType},amt=%{DATA:amount},rsp=%{DATA:hostResponse},card=%{DATA:card}] Response from host %{GREEDYDATA:responseFromHost}" }
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => ["redacted:9200"]
index => "logstash-%{+YYYY.MM.dd}"
user => "redacted"
password => "redacted"
}
}
我在 kibana grok 調試器中測試了模式並且它在那里工作,所以我不確定出了什么問題但是這個配置我得到以下錯誤:
[2023-01-12T16:42:42,965][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"{\", \"}\" at line 12, column 281 (byte 438) after filter {\n if [fields][type] == \"transaction_router\"{\n }\n grok {\n break_on_match => false\n match => { \"message\" => \"%{DATE_US:date} %{TIME:timestamp},%{LOGLEVEL:loglevel} : %{DATA:component},%{DATA:log_level},\\[%{DATA:chainCode}:%{DATA:storeCode}:%{DATA:terminalCode}:%{DATA:sequenceNumber}:%{DATA:userName}:%{DATA:clientTransactionID}]\\[src=%{DATA:sourceUrl},fwd=\"", :backtrace=>["C:/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:187:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in `initialize'", "C:/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", "C:/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", "C:/logstash/logstash-core/lib/logstash/agent.rb:391:in `block in converge_state'"]}
1 個解決方案
解決方案1
0 2023-01-17 08:11:28
escaping 似乎有一些問題,特殊字符如 '"'、'[' 和 ',' 請嘗試以下代碼
grok {
break_on_match => false
match => { "message" => "%{DATE_US:date} %{TIME:timestamp}\,%{LOGLEVEL:loglevel} \: %{DATA:component}\,%{DATA:log_level}\,\[%{DATA:chainCode}\:%{DATA:storeCode}\:%{DATA:terminalCode}\:%{DATA:sequenceNumber}\:%{DATA:userName}\:%{DATA:clientTransactionID}\]\[src=%{DATA:sourceUrl}\,fwd=\"%{DATA:forwardURL}\"\,ses=%{DATA:session}\,ot=%{DATA:originalTransactionType}\,tt=%{DATA:currentTransactionType}\,amt=%{DATA:amount}\,rsp=%{DATA:hostResponse}\,card=%{DATA:card}\] Response from host %{GREEDYDATA:responseFromHost}" }
}
驗證Logstash配置
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.