- elasticsearch/
elasticsearch 我不知道';我不知道如何用grok和logstash过滤我的日志文件
elasticsearch 我不知道';我不知道如何用grok和logstash过滤我的日志文件
我有一个小型java应用程序,可以加载与下面类似的日志:
Fri May 29 12:10:34 BST 2015 Trade ID: 2 status is :received
Fri May 29 14:12:36 BST 2015 Trade ID: 4 status is :received
Fri May 29 17:15:39 BST 2015 Trade ID: 3 status is :received
Fri May 29 21:19:43 BST 2015 Trade ID: 3 status is :Parsed
Sat May 30 02:24:48 BST 2015 Trade ID: 8 status is :received
Sat May 30 08:30:54 BST 2015 Trade ID: 3 status is :Data not found
Sat May 30 15:38:01 BST 2015 Trade ID: 3 status is :Book not found
Sat May 30 23:46:09 BST 2015 Trade ID: 6 status is :received
filter {
grok {
match => { "message" => "%{DAY} %{MONTH} %{DAY} %{TIME} BST %{YEAR} Trade ID: %{NUMBER:tradeId} status is : %{WORD:status}" }
}
目前,我无法按自己的意愿过滤日志 模式之间有一些额外的空格,对于状态,您希望解析整个消息,因此使用greedydata而不是单词是您的选择
filter {
grok {
match => { "message" => "%{DAY:day} %{MONTH:month} %{MONTHDAY:monthday} %{TIME:time} BST %{YEAR:year} Trade ID: %{NUMBER:tradeId} status is :%{GREEDYDATA:status}" }
}
}
{
"message" => "Sat May 30 15:38:01 BST 2015 Trade ID: 3 status is :Book not found",
"@version" => "1",
"@timestamp" => "2015-08-18T18:28:47.195Z",
"host" => "Gabriels-MacBook-Pro.local",
"day" => "Sat",
"month" => "May",
"monthday" => "30",
"time" => "15:38:01",
"year" => "2015",
"tradeId" => "3",
"status" => "Book not found"
}
请更具体地说明您当前和预期的筛选器行为。说“它不起作用”是没有帮助的。首先,你的模式说“状态是:”但是在你的样本数据中冒号后面没有空格。使用grok调试器。目前我的过滤器只能看到时间戳。没有关于tradeId和状态的标签。我也要在上面贴标签。我真的是麋鹿初学者你能提供一个工作配置文件吗?