- elasticsearch/
elasticsearch Logstash-从log-Grok添加字段
elasticsearch Logstash-从log-Grok添加字段
我正在学习logstash,我正在使用Kibana查看日志。我想知道是否仍然可以使用消息中的数据添加字段 例如,日志如下所示:
@timestamp:December 21st 2016, 21:39:12.444 port:47,144
appid:%{[path]} host:172.18.0.5 levell:level message:
{"@timestamp":"2016-12-22T00:39:12.438+00:00","@version":1,"message":"Hello","logger_name":"com.empresa.miAlquiler.controllers.UserController","thread_name":"http-nio-7777-exec-1","level":"INFO","level_value":20000,
"HOSTNAME":"6f92ae402cb4","X-Span-Export":"false","X-B3-SpanId":"8f548829e9d18a8a","X-B3-TraceId":"8f548829e9d18a8a"}
filter {
grok {
match => {
"message" =>
"^%{TIMESTAMP_ISO8601:timestamp}\s+%{LOGLEVEL:level}\s+%{NUMBER:pid}\s+---\s+\[\s*%{USERNAME:thread}\s*\]\s+%{JAVAFILE:class}\s*:\s*%{DATA:themessage}(?:\n+(?<stacktrace>(?:.|\r|\n)+))?$"
}
}
date {
match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss.SSS" ]
}
mutate {
remove_field => ["@version"]
add_field => {
"appid" => "%{[path]}"
}
add_field => {
"levell" => "level"
}
过滤器{
格罗克{
匹配=>{
“消息”=>
“^%{TIMESTAMP\u ISO8601:TIMESTAMP}\s+%{LOGLEVEL:level}\s+%{NUMBER:pid}\s+--\s+\[\s*%{USERNAME:thread}\s*\]\s+%{JAVAFILE:class}\s*:\s*{DATA:themessage}(?:\n+((?:.\r\124; n)++)+)$”
}
}
日期{
匹配=>[“时间戳”,“yyyy-MM-dd HH:MM:ss.SSS”]
}
变异{
删除_字段=>[“@version”]
添加字段=>{
“appid”=>“%{[path]}”
}
添加字段=>{
“级别”=>“级别”
}
还有其他方法吗?如果您使用
mutatefilter {
mutate {
add_field => ["newfield", "%{appid} %{levell}"] <-- this should concat both your appid and level to a new field
}
}
过滤器{
变异{
add_field=>[“newfield”,“%{appid}%{levell}”]谢谢你的回答@Kulasangar!,我一直在做add_field=>{“tipo”=>“%{level}”}
,但是这个字段显式地显示:“%{level}”,而不是值,例如“INFO”。你确定你的变种有效吗?我的意思是说你在哪里得到了` level value:add_field=>{level=>“level”}我想是的,logstash conf文件,看起来像:mutate{remove_field=>[“@version”]add_field=>{“level_type”=>“%{levell}”}
我不知道该怎么办。可能是属性出现在日志中的问题,但是whitin“message”字段?我可以用这篇文章回答这个问题: