Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/spring-boot/5.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Logstash 基于字符串过滤消息_Logstash_Logstash Grok - Fatal编程技术网
Fatal编程技术网
  • logstash/
  • Logstash 基于字符串过滤消息

Logstash 基于字符串过滤消息

logstash

Logstash 基于字符串过滤消息,logstash,logstash-grok,Logstash,Logstash Grok,我在同一个日志文件中有以下日志 2019-11-23T14:38:43.495 backendorg[http-nio-8080-exec-45]信息http-nio-8080-exec-45会话控制器http://localhost:8080/ABC/session/login 美国广播公司。nayak@zinier.combackendorg 2019-11-23T14:38:44.235 backendorg[http-nio-8080-exec-45]信息http-nio-8080-ex

我在同一个日志文件中有以下日志
2019-11-23T14:38:43.495 backendorg[http-nio-8080-exec-45]信息http-nio-8080-exec-45会话控制器http://localhost:8080/ABC/session/login 美国广播公司。nayak@zinier.combackendorg

2019-11-23T14:38:44.235 backendorg[http-nio-8080-exec-45]信息http-nio-8080-exec-45 SessionController用户会话:backendorg 16CFAFCCFB14D9A3 16e978545e17fec 16E978545E1452FF

使用下面的筛选器根据字符串“userSession”解析上面的消息

输入{
文件{
标记=>[“stacktrace”]
类型=>“错误日志”
path=>[“/Users/znrind-a0053/Downloads/logs/zapp audit.log”]
开始位置=>“开始”
sincedb_路径=>“/tmp/sincedb_文件”
编解码器=>多行{
模式=>“^%{TIMESTAMP_ISO8601}”
否定=>true
什么=>以前的
}
}
}
滤器{
如果[消息]中有“userSession”{
格罗克{
匹配=>[“消息”,
“%{TIMESTAMP\u ISO8601:TIMESTAMP\u match}%{USERNAME:orgId}(\[%{DATA:thread}\])?()?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost}%{JAVAFILE:javaClass}%{URI:url}%{SPACE}(?[\w.+=:-]+@[0-9A-Za-Za-z-]{0,62}(?:[0-9A-Za-Za-Za-z-]‌​-]{0,62}))*)%{SPACE}%{USERNAME:organization}“]
}
}否则{
格罗克{
匹配=>[“消息”,
“%{TIMESTAMP\u ISO8601:TIMESTAMP\u match}%{USERNAME:orgId}(\[%{DATA:thread}\])?()?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost}%{JAVACLASS:JAVACLASS}%{USERNAME:logmessage}:?%{SPACE USERNAME:organization}%{SPACE SPACE}%{USERNAME:loginUserId}%{SPACE SPACE SPACE}%{USERNAME:sessionId}%{SPACE
}
}
}
输出{
弹性搜索{
主机=>“本地主机”
索引=>“日志”
}
stdout{codec=>json}
}
但是收到GROK解析器时出错。非常感谢您的建议。

对于您必须使用的电子邮件()

(?[a-zA-Z0-9+=:-]+@[0-9A-zA-z][0-9A-zA-z-]{0,62}(?:\。(?:[0-9A-zA-z][0-‌​9A-Za-z-]{0,62}))*)


(?[\w.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:[。])(?:[0-9A-Za-z][0-9A-Za-z‌​-]{0,62}))*)
因此,您的对手将成为

%{TIMESTAMP_ISO8601:timestamp_match} %{USERNAME:orgId} (\[%{DATA:thread}\])?( )?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost} %{JAVAFILE:javaClass} %{URI:url}%{SPACE}(?<email>[\w.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:[.](?:[0-9A-Za-z][0-9A-Za-z‌​-]{0,62}))*)%{SPACE}%{USERNAME:orgnisation}

%{TIMESTAMP\u ISO8601:TIMESTAMP\u match}%{USERNAME:orgId}(\[%{DATA:thread}\])?(?{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost}%{JAVAFILE:javaClass}%{URI:url}%{SPACE}([\w.+=:-]++++@[0-9A-Za-z-][0,62}([\0-9A-z-Za:]‌​-]{0,62}))*)%{SPACE}%{USERNAME:organization}

过滤器中尝试以下操作:


filter {

      if "userSession" in [message]{
        grok {
        match => [ "message",
                 "%{TIMESTAMP_ISO8601:timestamp_match} %{USERNAME:orgId} (\[%{DATA:thread}\])?( )?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost} %{JAVAFILE:javaClass} %{USERNAME:logmessage}:?%{SPACE}%{USERNAME:orgnisation}%{SPACE}%{USERNAME:loginUserId}%{SPACE}%{USERNAME:sessionId}%{SPACE}%{USERNAME:txnId}"]
          }
      } else {

      grok {
      match => [ "message",
               "%{TIMESTAMP_ISO8601:timestamp_match} %{USERNAME:orgId} (\[%{DATA:thread}\])?( )?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost} %{JAVAFILE:javaClass} %{URI:url}%{SPACE}(?<email>[\w.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:[.](?:[0-9A-Za-z][0-9A-Za-z‌​-]{0,62}))*)%{SPACE}%{USERNAME:orgnisation}"]
        }
      }
}



过滤器{
如果[消息]中有“userSession”{
格罗克{
匹配=>[“消息”,
“%{TIMESTAMP\u ISO8601:TIMESTAMP\u match}%{USERNAME:orgId}(\[%{DATA:thread}\])?()?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost}%{JAVAFILE:javaClass}%{USERNAME:logmessage}:?%{SPACE SPACE}%{USERNAME:organization}%{SPACE SPACE SPACE}%{USERNAME:loginUserId}%{SPACE SPACE SPACE}%{USERNAME:sessionId}%{SPACE
}
}否则{
格罗克{
匹配=>[“消息”,
“%{TIMESTAMP\u ISO8601:TIMESTAMP\u match}%{USERNAME:orgId}(\[%{DATA:thread}\])?()?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost}%{JAVAFILE:javaClass}%{URI:url}%{SPACE}(?[\w.+=:-]+@[0-9A-Za-Za-z-]{0,62}(?:[0-9A-Za-Za-Za-z-]‌​-]{0,62}))*)%{SPACE}%{USERNAME:organization}“]
}
}
}

谢谢你的回复。但是我的问题是上面提到的,如果else不能使用string.getting _grokparsefailure.因为你的匹配语句不正确。它无法编译。请再次检查。我已经用完整的配置文件编辑了我的帖子。使用你的解决方案后仍然会遇到相同的错误。请告诉我这有什么问题。

(?<email>[\w.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:[.](?:[0-9A-Za-z][0-9A-Za-z‌​-]{0,62}))*)



%{TIMESTAMP_ISO8601:timestamp_match} %{USERNAME:orgId} (\[%{DATA:thread}\])?( )?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost} %{JAVAFILE:javaClass} %{URI:url}%{SPACE}(?<email>[\w.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:[.](?:[0-9A-Za-z][0-9A-Za-z‌​-]{0,62}))*)%{SPACE}%{USERNAME:orgnisation}



filter {

      if "userSession" in [message]{
        grok {
        match => [ "message",
                 "%{TIMESTAMP_ISO8601:timestamp_match} %{USERNAME:orgId} (\[%{DATA:thread}\])?( )?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost} %{JAVAFILE:javaClass} %{USERNAME:logmessage}:?%{SPACE}%{USERNAME:orgnisation}%{SPACE}%{USERNAME:loginUserId}%{SPACE}%{USERNAME:sessionId}%{SPACE}%{USERNAME:txnId}"]
          }
      } else {

      grok {
      match => [ "message",
               "%{TIMESTAMP_ISO8601:timestamp_match} %{USERNAME:orgId} (\[%{DATA:thread}\])?( )?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost} %{JAVAFILE:javaClass} %{URI:url}%{SPACE}(?<email>[\w.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:[.](?:[0-9A-Za-z][0-9A-Za-z‌​-]{0,62}))*)%{SPACE}%{USERNAME:orgnisation}"]
        }
      }
}