- elasticsearch/
elasticsearch Logstash grok筛选器,调试器正常,但Logstash解析失败
elasticsearch Logstash grok筛选器,调试器正常,但Logstash解析失败
我的grok过滤器在grok调试器中正常,但在启动logstash时不工作 我的线路日志
[Mon Aug 28 09:16:16.028821 2017] [php7:notice] [pid 11111] [client 22.22.66.66:66666] message d'erreur
filter {
grok {
match => { "message" => "\[%{DAY:day} %{MONTH:month} %{MONTHDAY:monthday} %{TIME:time} %{YEAR:year}\] \[%{WORD:php}:%{WORD:logelvel}\] \[%{WORD} %{WORD:processus}\] \[%{WORD} %{IP}:%{POSINT:port}\] %{GREEDYDATA: message}" }
}
}
@timestamp:August 28th 2017, 10:40:22.380 offset:5,269 @version:1 input_type:log beat.hostname:ip-166-55-55-55 beat.name:ip-166-55-55-55 beat.version:5.5.1 host:ip-175-61-66-66 source:/var/log/apache2/filelog.log
message:[Mon Aug 28 09:10:59.023093 2017] [php7:notice] [pid 11111] [client 22.22.66.66:66666]
message d'erreur type:log tags:beats_input_codec_plain_applied, _grokparsefailure _id:AV4n_8akHhd-RttynnUH _type:log _index:index-2017.08.28 _score: -
非常感谢您的帮助。您需要像这样避开方括号:
\[%{DAY:day} %{MONTH:month} %{MONTHDAY:monthday} %{TIME:time} %{YEAR:year}\] \[%{WORD:php}:%{WORD:logelvel}\] \[%{WORD} %{WORD:processus}\] \[%{WORD} %{IP}:%{POSINT:port}\] %{GREEDYDATA:message}
您需要像这样转义方括号:
\[%{DAY:day} %{MONTH:month} %{MONTHDAY:monthday} %{TIME:time} %{YEAR:year}\] \[%{WORD:php}:%{WORD:logelvel}\] \[%{WORD} %{WORD:processus}\] \[%{WORD} %{IP}:%{POSINT:port}\] %{GREEDYDATA:message}
%{GREEDYDATA:message}%{GREEDYDATA:message}