- elasticsearch/
elasticsearch Grok解析失败-在筛选错误日志时
elasticsearch Grok解析失败-在筛选错误日志时
嗨,我得到以下错误:
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "_grokparsefailure"
]
input {
beats {
port => "5044"
}
}
filter {
grok {
match => ["message","HTTPD20_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\] )$
}
}
output {
stdout { codec => rubydebug }
}
2020-10-09 14:24:33,489 [Thread1] INFO ReceiverLogging- Connecting
2020-10-09 14:24:34,166 [Thread1] INFO ReceiverLogging- Connected...
2020-10-09 14:24:34,166 [Thread1] INFO ReceiverLogging- Getting folder...
2020-10-09 14:24:34,167 [Thread1] INFO ReceiverLogging- Got folder
2020-10-09 14:24:34,167 [Thread1] INFO ReceiverLogging- Opening folder
2020-10-09 14:24:34,237 [Thread1] INFO ReceiverLogging- getting folder
2020-10-09 14:24:34,247 [Thread-6] ERROR CheckLog Error While Connecting to Websocket
javax.websocket.DeploymentException: The HTTP request to initiate the WebSocket connection failed
at org.apache.tomcat.websocket.WsWebSocketContainer.connectToServer(WsWebSocketContainer.java:392)
at org.apache.tomcat.websocket.WsWebSocketContainer.connectToServer(WsWebSocketContainer.java:150)
at global.services.WebSocketClient.<init>(WebSocketClient.java:33)
at global.services.WebSocketClient.getInstance(WebSocketClient.java:51)
at global.services.SchedulerThread.run(SchedulerThread.java:63)
Caused by: java.util.concurrent.TimeoutException
at sun.nio.ch.PendingFuture.get(PendingFuture.java:197)
at org.apache.tomcat.websocket.WsWebSocketContainer.processResponse(WsWebSocketContainer.java:674)
at org.apache.tomcat.websocket.WsWebSocketContainer.connectToServer(WsWebSocketContainer.java:340)
... 4 more
2020-10-09 14:24:34,248 [Thread-6] ERROR Exception- Error While Connecting to Websocket
2020-10-09 14:24:33489[Thread1]信息接收方记录-连接
2020-10-09 14:24:34166[Thread1]信息接收方记录-已连接。。。
2020-10-09 14:24:34166[Thread1]信息接收方日志记录-获取文件夹。。。
2020-10-09 14:24:34167[Thread1]信息接收方记录-已获取文件夹
2020-10-09 14:24:34167[Thread1]信息接收方记录-打开文件夹
2020-10-09 14:24:34237[Thread1]信息接收方记录-获取文件夹
2020-10-09 14:24:34247[Thread-6]错误检查日志连接到Websocket时出错
javax.websocket.DeploymentException:启动websocket连接的HTTP请求失败
位于org.apache.tomcat.websocket.WsWebSocketContainer.connectToServer(WsWebSocketContainer.java:392)
位于org.apache.tomcat.websocket.WsWebSocketContainer.connectToServer(WsWebSocketContainer.java:150)
位于global.services.WebSocketClient.(WebSocketClient.java:33)
位于global.services.WebSocketClient.getInstance(WebSocketClient.java:51)
在global.services.SchedulerThread.run(SchedulerThread.java:63)中
原因:java.util.concurrent.TimeoutException
位于sun.nio.ch.PendingFuture.get(PendingFuture.java:197)
位于org.apache.tomcat.websocket.WsWebSocketContainer.processResponse(WsWebSocketContainer.java:674)
位于org.apache.tomcat.websocket.WsWebSocketContainer.connectToServer(WsWebSocketContainer.java:340)
…还有4个
2020-10-09 14:24:34248[Thread-6]错误异常-连接到Websocket时出错
请帮助首先,我建议学习GROK的一些基础知识以及它的工作原理。在答案的末尾添加一些有用的资源 日志中的当前模式如下 时间戳CLASSNAME LOGLEVEL LOGMESSAGE 下面问题中的日志示例是一个示例管道,但不确定是否需要多行来捕获堆栈跟踪。在这种情况下,可以扩展下面的场景
filter {
grok{
match => { "message" => "%{TIMESTAMP_ISO8601:timeStamp}%{SPACE}\[%{DATA:className}\]%{SPACE}%{LOGLEVEL:logLevel}%{SPACE}%{GREEDYDATA:message}"}
overwrite => [ "message" ]
}
date {
match => ["timeStamp","yyyy-MM-dd HH:mm:ss,SSS"]
timezone => "Europe/London"
target => "@timestamp"
remove_field => ["timeStamp"]
}
}
{
"logLevel" => "INFO",
"@version" => "1",
"path" => "/usr/share/logstash/stack/data/data.log",
"className" => "Classname",
"host" => "95b3783b146a",
"@timestamp" => 2020-10-09T13:24:35.004Z,
"message" => "LOGG- Sending message : Test"
}
{
"logLevel" => "ERROR",
"@version" => "1",
"path" => "/usr/share/logstash/stack/data/data.log",
"className" => "Classname",
"host" => "95b3783b146a",
"@timestamp" => 2020-10-09T13:24:35.004Z,
"message" => "InternetApp- in details."
}
请在问题中添加一些日志示例。@karanshah添加了。请检查我使用了这些示例,但也遇到了相同的问题:“标记”=>[[0]“beats\u input\u codec\u plain\u applied”,[1]“\u grokparsefailure”],我没有得到您编写的输出。它是否适用于所有事件?可以为源日志添加更多示例。添加了更多日志示例。请检查