elasticsearch Logstash JSON Grok筛选器问题,elasticsearch,logstash,grok,elasticsearch,Logstash,Grok" /> elasticsearch Logstash JSON Grok筛选器问题,elasticsearch,logstash,grok,elasticsearch,Logstash,Grok" />
Fatal编程技术网

elasticsearch Logstash JSON Grok筛选器问题

logstash

elasticsearch Logstash JSON Grok筛选器问题,elasticsearch,logstash,grok,elasticsearch,Logstash,Grok,我已经设置了squid代理,通过Logstash将JSON格式的日志发送到Elastic。我正在尝试使用GROK过滤来解析日志。过滤器在Kiabana Grok调试器中工作,但在我重新启动Logstash时出现以下错误 Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:squid_logs, :exception=>"LogStash::Configuration

我已经设置了squid代理,通过Logstash将JSON格式的日志发送到Elastic。我正在尝试使用GROK过滤来解析日志。过滤器在Kiabana Grok调试器中工作,但在我重新启动Logstash时出现以下错误

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:squid_logs,
 :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"
{\", \",\", \"]\" at line 10, column 62 (byte 137) after filter {\n  grok {\n    match => {\n 
       \"message\" => [ \"%{IPV4:vendor_ip}\", \"%{WORD:message}\"", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", 
"org/logstash/execution/AbstractPipelineExt.java:184:in `initialize'", 
"org/logstash/execution/JavaBasePipelineExt.java:69:in `initialize'", 
"/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", 
"/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", 
"/usr/share/logstash/logstash-core/lib/logstash/agent.rb:389:in `block in converge_state'"]}
我有下面的GROK过滤器

"%{IPV4:vendor_ip}", "%{WORD:message}": "%{IPV4:clientip}", "%{WORD:message}": "%
{DATA:timestamp}", "%{WORD:message}": "%{WORD:verb}", "%{WORD:message}": "%{DATA:request}", "%
{WORD:message}": "%{URIPATHPARAM:path}"
在Kibana Grok调试器中,过滤器可以针对如下消息正常工作:

{ "vendor_ip": "x.x.x.x", "clientip": "x.x.x.x", "timestamp": "2021-04-09T13:58:38+0000", 
"verb": "GET", "request": "https://domain", "path": "/somepath", "httpversion": "HTTP/1.1", 
"response": 200, "bytes": 2518042, "referer": "-", "useragent": "Microsoft BITS/7.8", 
"request_status": "HIER_DIRECT", "hierarchy_status": "HIER_DIRECT" }
日志存储配置如下:

input {
  beats {
    port => 5045
  }
}

filter {
  grok {
    match => {
        "message" => [ "%{IPV4:vendor_ip}", "%{WORD:message}": "%{IPV4:clientip}", "%{WORD:message}": "%{DATA:timestamp}", "%{WORD:message}": "%{WORD:verb}", "%{WORD:message}": "%{DATA:request}", "%{WORD:message}": "%{URIPATHPARAM:path}" ]
    }
  }
}


output {
  elasticsearch {
    hosts => ["x.x.x.x:9200"]
    index => "squid_logs"
  }
}
使用grok筛选器解析json消息是错误的方法,没有必要这样做,这将是一项大量的工作,因为您需要转义消息中的所有双引号,否则将出现配置错误,这就是您的情况

使用过滤器解析json消息

只需在管道中使用此选项:

filter {
    json {
        source => "message"
    }
}
谢谢你,这比我想做的要简单得多。我看到这个问题已经得到了非常好的回答,但只是为了记录在案。。。上面的日志存储配置无效。。。具体来说,grok的
消息
设置格式不正确。最好是像
[“\{\”供应商ip\”:\“${IPV4:vendor\u ip}\”,“\'clientip\”:\”%{IPV4:clientip}\“,
…etc至少感谢您的评论。很高兴知道语法已关闭,即使grok debugger接受了它。我通常使用kibana builtin,而不是kibana。主要是因为这是我发现的第一个工具。这些问题似乎较少,但YMMV