Logstash过滤器中的Grok和mutate对输出没有影响
Logstash将通过远程主机上的Filebeat收集信息。 我的最终预期结果是创建一个图表,逐日显示HTTP日志的响应时间。 因此,我将重点放在日志消息中的响应时间上 现在,从Kibana获得的json消息如下所示Logstash过滤器中的Grok和mutate对输出没有影响,logstash,logstash-grok,logstash-configuration,Logstash,Logstash Grok,Logstash Configuration,Logstash将通过远程主机上的Filebeat收集信息。 我的最终预期结果是创建一个图表,逐日显示HTTP日志的响应时间。 因此,我将重点放在日志消息中的响应时间上 现在,从Kibana获得的json消息如下所示 { "_index": "filebeat-7.9.2-2020.10.06-000001", "_type": "_doc", "_id": "NYaZB3U
{
"_index": "filebeat-7.9.2-2020.10.06-000001",
"_type": "_doc",
"_id": "NYaZB3UB-JR2hYtrwawX",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-10-08T09:45:17.358Z",
"agent": {
"id": "acbc8cf5-7bc1-46ab-a9ad-8ee1fef26183",
"name": "42dcb5cf4d4a",
"type": "filebeat",
"version": "7.9.2",
"hostname": "42dcb5cf4d4a",
"ephemeral_id": "e45f89ee-f355-4490-b79b-394a2226ffe7"
},
"log": {
"offset": 5157015,
"file": {
"path": "/usr/logs/tomcat/test.com.access.2020-10-08.log"
}
},
"message": "203.149.37.226 - - [08/Oct/2020:11:45:10 +0200] \"POST /TestserviceWarning/get_warning/render?method=get_warnings_onsite_status_excel&subDomain=testClick&webId=1196&scanId=4482 HTTP/1.1\" 200 1151 0.010",
"tags": [
"tomcat"
],
"input": {
"type": "log"
},
"ecs": {
"version": "1.5.0"
},
"host": {
"name": "42dcb5cf4d4a"
}
},
"fields": {
"@timestamp": [
"2020-10-08T09:45:17.358Z"
]
},
"sort": [
1602150317358
]
}
以及我的管道配置
input {
beats {
port => 5000
}
}
filter {
if "tomcat" in [tags] {
grok {
match => { "message" => "%{IPORHOST:client} %{DATA} %{DATA:user} \[%{DATA:logtimestamp} %{ISO8601_TIMEZONE:timezone}\] \"%{WORD:method} %{URIPATH:uri_path}(%{URIPARAM:params}|) %{DATA:protocol}\" %{NUMBER:code} (%{NUMBER:bytes}|%{DATA}) %{NUMBER:response_time_sec}"}
overwrite => [ "message" ]
}
mutate { add_field => {"respones_time" => "%{response_time_sec}"}
}
}
}
一旦管道被触发,我在json消息中就没有看到任何附加字段。结果是一样的
2020年10月9日编辑 在浪费了一整天的时间后,我仍然无法使它工作 因此,我打开了调试日志级别,似乎日志存储可以访问过滤器,但它不知何故没有将过滤器应用于输出
org.logstash.config.ir.compiler.ComputeStepSyntaxElement@8d7da797
P[filter-grok{"match"=>{"message"=>"%{IPORHOST:client} %{DATA} %{DATA:user} \\[%{DATA:logtimestamp} %{ISO8601_TIMEZONE:timezone}\\] \\\"%{WORD:method} %{URIPATH:uri_path}(%{URIPARAM:params}|) %{DATA:protocol}\\\" %{NUMBER:code} (%{NUMBER:bytes}|%{DATA}) %{NUMBER:response_time_sec}"}}|[file]/usr/share/logstash/pipeline/logstash.conf:9:17:```
grok {
match => { "message" => "%{IPORHOST:client} %{DATA} %{DATA:user} \[%{DATA:logtimestamp} %{ISO8601_TIMEZONE:timezone}\] \"%{WORD:method} %{URIPATH:uri_path}(%{URIPARAM:params}|) %{DATA:protocol}\" %{NUMBER:code} (%{NUMBER:bytes}|%{DATA}) %{NUMBER:response_time_sec}"}
}
```]
into
org.logstash.config.ir.compiler.ComputeStepSyntaxElement@8d7da797
然后我看到了新的异常消息
[INFO ] 2020-10-09 06:24:55.568 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[INFO ] 2020-10-09 06:24:55.649 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
java.lang.UnsupportedOperationException: Reflective setAccessible(true) disabled
及
您的日志存储配置看起来正确。下面是logstash的输出,应该在弹性搜索中使用。我假设您在输入最新配置后重新接收了日志文件。另外,确保重新加载logstash配置,并刷新Kibana中的索引,以便它标识最新字段
{
"response_time_sec" => "0.010",
"timezone" => "+0200",
"@timestamp" => 2020-10-08T13:10:21.115Z,
"host" => "4ddee8887e1b",
"client" => "203.149.37.226",
"respones_time" => "0.010",
"@version" => "1",
"bytes" => "1151",
"path" => "/usr/share/logstash/stack/data/data.log",
"logtimestamp" => "08/Oct/2020:11:45:10",
"method" => "POST",
"uri_path" => "/TestserviceWarning/get_warning/render",
"user" => "-",
"protocol" => "HTTP/1.1",
"code" => "200",
"params" => "?method=get_warnings_onsite_status_excel&subDomain=testClick&webId=1196&scanId=4482",
"message" => "203.149.37.226 - - [08/Oct/2020:11:45:10 +0200] \"POST /TestserviceWarning/get_warning/render?method=get_warnings_onsite_status_excel&subDomain=testClick&webId=1196&scanId=4482 HTTP/1.1\" 200 1151 0.010"
}
虽然你想要达到的目标可以通过下面的步骤来实现
filter {
grok{
match => { "message" => "%{IPORHOST:client} %{DATA} %{DATA:user} \[%{DATA:logtimestamp} %{ISO8601_TIMEZONE:timezone}\] \"%{WORD:method} %{URIPATH:uri_path}(%{URIPARAM:params}|) %{DATA:protocol}\" %{NUMBER:code} (%{NUMBER:bytes}|%{DATA}) %{NUMBER:response_time}"}
}
}
输出字段希望
{
"bytes" => "1151",
"@version" => "1",
"logtimestamp" => "08/Oct/2020:11:45:10",
"method" => "POST",
"code" => "200",
"client" => "203.149.37.226",
"host" => "169f8e2acdce",
"timezone" => "+0200",
"params" => "?method=get_warnings_onsite_status_excel&subDomain=testClick&webId=1196&scanId=4482",
"path" => "/usr/share/logstash/stack/data/data.log",
"@timestamp" => 2020-10-08T13:15:31.576Z,
"uri_path" => "/TestserviceWarning/get_warning/render",
"user" => "-",
"protocol" => "HTTP/1.1",
"response_time_sec" => "0.010",
"message" => "203.149.37.226 - - [08/Oct/2020:11:45:10 +0200] \"POST /TestserviceWarning/get_warning/render?method=get_warnings_onsite_status_excel&subDomain=testClick&webId=1196&scanId=4482 HTTP/1.1\" 200 1151 0.010"
}
对不起,我打错了,实际的代码使用了正确的语法。谢谢你的详细回复。我编辑了这篇文章以添加更多细节扫描你的输出到stdout并分享,也许这会帮助我更好地理解它。也可以在不使用过滤器的情况下进行同样的操作,有时这有助于理解您从Beats中获得的输入<代码>输出{stdout{}问题已解决!,肯定是我对Logstash docker run命令的误解,我将输出修复为ES并忽略了Logstash。我很高兴能够提供帮助。
{
"bytes" => "1151",
"@version" => "1",
"logtimestamp" => "08/Oct/2020:11:45:10",
"method" => "POST",
"code" => "200",
"client" => "203.149.37.226",
"host" => "169f8e2acdce",
"timezone" => "+0200",
"params" => "?method=get_warnings_onsite_status_excel&subDomain=testClick&webId=1196&scanId=4482",
"path" => "/usr/share/logstash/stack/data/data.log",
"@timestamp" => 2020-10-08T13:15:31.576Z,
"uri_path" => "/TestserviceWarning/get_warning/render",
"user" => "-",
"protocol" => "HTTP/1.1",
"response_time_sec" => "0.010",
"message" => "203.149.37.226 - - [08/Oct/2020:11:45:10 +0200] \"POST /TestserviceWarning/get_warning/render?method=get_warnings_onsite_status_excel&subDomain=testClick&webId=1196&scanId=4482 HTTP/1.1\" 200 1151 0.010"
}