Logstash筛选器Http错误请求错误(ELK)
下面是用logstash编写的代码。我想每隔1分钟通过logstash访问API,并将数据发送到elasticsearchLogstash筛选器Http错误请求错误(ELK),http,logstash,Http,Logstash,下面是用logstash编写的代码。我想每隔1分钟通过logstash访问API,并将数据发送到elasticsearch input { exec { command => 'bin/true' tags => "myaccount_test" schedule => "* * * * *" } } filter { if "myaccount_test" in [tags] {
input {
exec {
command => 'bin/true'
tags => "myaccount_test"
schedule => "* * * * *"
}
}
filter {
if "myaccount_test" in [tags] {
ruby { code => "event.set('end', event.get('@timestamp').to_i)" }
ruby { code => "event.set('start', event.get('@timestamp').to_i - 1917)" }
http {
body_format => "json"
follow_redirects => false
body => {
"query" => "SELECT pagename AS ErrorPage, referrer AS GeneratedPage, count(*) AS ErrorTraffic FROM browser_records WHERE appkey = 'AAA-AAB-AUB'"
"start" => "%{start}"
"end" => "%{end}"
}
url => "http://<domainname>:<port>/events/query?limit=200"
verb => "POST"
headers => {
"X-Events-API-AccountName" => "custxxxxx_xxxxxxxxxxxx"
"X-Events-API-Key" => "xxxxxxx-xxxxxxx-xxxx"
"Content-type" => "application/vnd.appd.events+json;v=2"
}
}
}
}
output {
if "myaccount_test" in [tags] {
stdout { codec => json_lines }
}
}
输入{
执行官{
命令=>'bin/true'
标记=>“myaccount\u测试”
计划=>“***”
}
}
滤器{
如果[标签]中有“myaccount_测试”{
ruby{code=>“event.set('end',event.get('@timestamp')。to_i)”}
ruby{code=>“event.set('start',event.get('@timestamp')。to_i-1917)”}
http{
body_format=>“json”
follow_重定向=>false
正文=>{
“查询”=>“选择pagename作为ErrorPage,Referer作为GeneratedPage,计数(*)作为来自浏览器的ErrorTraffic_记录,其中appkey='AAA-AAB-AUB'”
“开始”=>“%{start}”
“end”=>“%{end}”
}
url=>“http://:/events/query?limit=200”
动词=>“POST”
标题=>{
“X-Events-API-AccountName”=>“custxxxxx\uuXXXXXXXXXX”
“X-Events-API-Key”=>“xxxxxxx-xxxxxxx-xxxxx”
“内容类型”=>“应用程序/vnd.appd.events+json;v=2”
}
}
}
}
输出{
如果[标签]中有“myaccount_测试”{
标准输出{codec=>json_行}
}
}
[2020-08-07T16:15:00,165][ERROR][logstash.filters.http ][main][e70ac31237ba1ca2ac387603953776f0cb06c3aecbd113db0915a1404334ad85] error during HTTP request {:url=>"http://<domainname>:<port>/events/query?limit=200", :code=>400, :response=>"<html>\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html;charset=utf-8\"/>\n<title>Error 400 Bad Request</title>\n</head>\n<body><h2>HTTP ERROR 400</h2>\n<p>Problem accessing /events/query. Reason:\n<pre> Bad Request</pre></p>\n</body>\n</html>\n"}
{"@timestamp":"2020-08-07T12:15:00.041Z","end":1596802500,"start":1596800583,"message":"","@version":"1","command":"bin/true","host":"hostname","tags":["myaccount_test","_httprequestfailure"]}
[2020-08-07T16:15:00165][ERROR][logstash.filters.http][main][E70AC31237BA1CA2AC87603953776F0CB06C3AECBBD113DB0915A1404334AD85]http请求期间出错{:url=>“http://::/events/query?limit=200”:code=>400,:response=>“\n\n\n\n错误400错误请求错误\n\nHTTP错误400\n访问/事件/查询问题。原因:\n错误请求\n\n\n
POST http://api.example.com/events/query?limit=100 HTTP/1.1
X-Events-API-AccountName:<global_account_name>
X-Events-API-Key:<api_key>
Content-Type: application/vnd.appd.events+json;v=2
Accept: application/vnd.appd.events+json;v=2
[
{
"query": "SELECT * FROM county WHERE population>50000",
"limit": 10,
"start": "2017-02-23T0:0:0Z",
"end": "2017-03-1T0:0:0Z"
},
]
{“@timestamp”:“2020-08-07T12:15:00.041Z”,“end”:1596802500,“start”:1596800583,“message”:“@version”:“1”,“command”:“bin/true”,“host”:“hostname”,“tags”:[“myaccount_test”,“_httprequestfailure”]}
POSThttp://api.example.com/events/query?limit=100 HTTP/1.1
X-Events-API-AccountName:
X-Events-API-Key:
内容类型:application/vnd.appd.events+json;v=2
接受:application/vnd.appd.events+json;v=2
[
{
“查询”:“从人口>50000的县中选择*”,
“限制”:10,
“开始”:“2017-02-23T0:0:0Z”,
“结束”:“2017-03-1T0:0:0Z”
},
]