Fatal编程技术网
  • logstash/
  • Logstash 从日志中提取日志级别,logstrash

Logstash 从日志中提取日志级别,logstrash

logstash

Logstash 从日志中提取日志级别,logstrash,logstash,logstash-grok,Logstash,Logstash Grok,请任何人帮助我从以下日志中提取日志级别- 2017-05-16 11:52:37,962|DEBUG|logging.WorkerThread|pool-2-thread-1|RequestId:31|ServiceInstanceId:31|VirtualServerName:31|ServiceName:31|InstanceUUID:31|AlertSeverity:31|ServerIPAddress:31|ServerFQDN:31|RemoteHost:31|ClassName:31

请任何人帮助我从以下日志中提取日志级别-

2017-05-16 11:52:37,962|DEBUG|logging.WorkerThread|pool-2-thread-1|RequestId:31|ServiceInstanceId:31|VirtualServerName:31|ServiceName:31|InstanceUUID:31|AlertSeverity:31|ServerIPAddress:31|ServerFQDN:31|RemoteHost:31|ClassName:31|Timer:31| This is debug
我正在使用贝娄模式生成它-

value="%date{ISO8601,UTC}|%.-5level|%logger|%thread|%X{LogType}|%X{Component}|%X{RequestId}|%X{ServiceInstanceId}|%X{VirtualServerName}|%X{ServiceName}|%X{InstanceUUID}|%X{AlertSeverity}|%X{ServerIPAddress}|%X{ServerFQDN}|%X{RemoteHost}|%X{ClassName}|%X{Timer}| %msg%n" />
我期待着这样的事情-

{
     "message" => "2017-05-16 11:52:37,962|DEBUG|logging.WorkerThread|pool-2-thread-1|RequestId:31|ServiceInstanceId:31|VirtualServerName:31|ServiceName:31|InstanceUUID:31|AlertSeverity:31|ServerIPAddress:31|ServerFQDN:31|RemoteHost:31|ClassName:31|Timer:31| This is debug",
     "timestamp" => "2017-05-16 11:52:37,962",
     "log-level" => "DEBUG",
}
尝试以下模式:

%{TIMESTAMP_ISO8601:Data}\|%{WORD:LogLevel}\|%{NOTSPACE:WorkerThread}\|pool\-%{WORD:PoolNumber}\-thread\-%{WORD:ThreadNumber}\|RequestId\:%{NUMBER:RequestId}\|ServiceInstanceId\:%{NUMBER:ServiceInstance}\|VirtualServerName\:%{NUMBER:VirtualServerName}\|ServiceName\:%{NUMBER:ServiceName}\|InstanceUUID\:%{NUMBER:InstanceUUID}\|AlertSeverity\:%{NUMBER:AlertSeverity}\|ServerIPAddress\:%{NUMBER:ServerIPAddress}\|ServerFQDN\:%{NUMBER:ServerFQDN}\|RemoteHost\:%{NUMBER:RemoteHost}\|ClassName\:%{NUMBER:ClassName}\|Timer\:%{NUMBER:Timer}\|%{GREEDYDATA:Text}
这将提取所有字段。基于给出的日志行示例

你好@兔子,非常感谢你,它正按照我的期望工作。我对这个grok模式是完全陌生的,你能提供一些我可以掌握的资源吗?非常感谢您Hey@CRSardar尝试以下链接:谢谢@Rabbit,需要更多帮助吗?管道如下-Filebeatsimply monitoring.txt文件>日志存储>Elasticsearch。按照您的建议使用gork,我看到Elasticsearch正在按如下方式保存数据-点击率:{total:3,max_分数:1.0,点击率:[{{U索引:logstash-2017.05.17,{U类型:log,{U id:tEFlvHP,{U分数:1.0,{U来源:{LogLeve_Chitta:ERROR,ClassName_Chitta:47,RequestId_Chitta:47,ServerIPAddress_Chitta:47,WorkerThread_Chitta:logging.WorkerThread,message_Chitta:OMG多可怕的错误,ServerFQDN_Chitta:47,Data_Chitta:1988-04-28 01:57:21299,Timer_Chitta:47,PoolNumber_Chitta:2,RemoteHost_Chitta:47,ServiceName_Chitta:47,VirtualServerName_Chitta:47,AlertSeverit_Chitta:47,ThreadNumber_Chitta:1,ServiceInstance_Chitta:47,InstanceUUID_Chitta:47,消息:1988-04-28 01:57:21299 |,source:C:\\log\\MSO\\ERROR.log,type:log,@version:1,beat:{hostname:CHITTARS02,name:CHITTARS02,version:5.4.0},主机:CHITTARS02,偏移量:777,输入类型:log,标记:[beats\u输入\u编解码器\u普通应用],@timestamp:2017-05-17T10:16:19.972Z}]}