Logstash 基于字符串过滤消息
我在同一个日志文件中有以下日志Logstash 基于字符串过滤消息,logstash,logstash-grok,Logstash,Logstash Grok,我在同一个日志文件中有以下日志 2019-11-23T14:38:43.495 backendorg[http-nio-8080-exec-45]信息http-nio-8080-exec-45会话控制器http://localhost:8080/ABC/session/login 美国广播公司。nayak@zinier.combackendorg 2019-11-23T14:38:44.235 backendorg[http-nio-8080-exec-45]信息http-nio-8080-ex
2019-11-23T14:38:43.495 backendorg[http-nio-8080-exec-45]信息http-nio-8080-exec-45会话控制器http://localhost:8080/ABC/session/login 美国广播公司。nayak@zinier.combackendorg
2019-11-23T14:38:44.235 backendorg[http-nio-8080-exec-45]信息http-nio-8080-exec-45 SessionController用户会话:backendorg 16CFAFCCFB14D9A3 16e978545e17fec 16E978545E1452FF
使用下面的筛选器根据字符串“userSession”解析上面的消息
输入{
文件{
标记=>[“stacktrace”]
类型=>“错误日志”
path=>[“/Users/znrind-a0053/Downloads/logs/zapp audit.log”]
开始位置=>“开始”
sincedb_路径=>“/tmp/sincedb_文件”
编解码器=>多行{
模式=>“^%{TIMESTAMP_ISO8601}”
否定=>true
什么=>以前的
}
}
}
滤器{
如果[消息]中有“userSession”{
格罗克{
匹配=>[“消息”,
“%{TIMESTAMP\u ISO8601:TIMESTAMP\u match}%{USERNAME:orgId}(\[%{DATA:thread}\])?()?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost}%{JAVAFILE:javaClass}%{URI:url}%{SPACE}(?[\w.+=:-]+@[0-9A-Za-Za-z-]{0,62}(?:[0-9A-Za-Za-Za-z-]-]{0,62}))*)%{SPACE}%{USERNAME:organization}“]
}
}否则{
格罗克{
匹配=>[“消息”,
“%{TIMESTAMP\u ISO8601:TIMESTAMP\u match}%{USERNAME:orgId}(\[%{DATA:thread}\])?()?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost}%{JAVACLASS:JAVACLASS}%{USERNAME:logmessage}:?%{SPACE USERNAME:organization}%{SPACE SPACE}%{USERNAME:loginUserId}%{SPACE SPACE SPACE}%{USERNAME:sessionId}%{SPACE
}
}
}
输出{
弹性搜索{
主机=>“本地主机”
索引=>“日志”
}
stdout{codec=>json}
}
但是收到GROK解析器时出错。非常感谢您的建议。对于您必须使用的电子邮件()
(?[a-zA-Z0-9+=:-]+@[0-9A-zA-z][0-9A-zA-z-]{0,62}(?:\。(?:[0-9A-zA-z][0-9A-Za-z-]{0,62}))*)
或
(?[\w.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:[。])(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*)
因此,您的对手将成为
%{TIMESTAMP_ISO8601:timestamp_match} %{USERNAME:orgId} (\[%{DATA:thread}\])?( )?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost} %{JAVAFILE:javaClass} %{URI:url}%{SPACE}(?<email>[\w.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:[.](?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*)%{SPACE}%{USERNAME:orgnisation}
%{TIMESTAMP\u ISO8601:TIMESTAMP\u match}%{USERNAME:orgId}(\[%{DATA:thread}\])?(?{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost}%{JAVAFILE:javaClass}%{URI:url}%{SPACE}([\w.+=:-]++++@[0-9A-Za-z-][0,62}([\0-9A-z-Za:]-]{0,62}))*)%{SPACE}%{USERNAME:organization}
在过滤器中尝试以下操作:
filter {
if "userSession" in [message]{
grok {
match => [ "message",
"%{TIMESTAMP_ISO8601:timestamp_match} %{USERNAME:orgId} (\[%{DATA:thread}\])?( )?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost} %{JAVAFILE:javaClass} %{USERNAME:logmessage}:?%{SPACE}%{USERNAME:orgnisation}%{SPACE}%{USERNAME:loginUserId}%{SPACE}%{USERNAME:sessionId}%{SPACE}%{USERNAME:txnId}"]
}
} else {
grok {
match => [ "message",
"%{TIMESTAMP_ISO8601:timestamp_match} %{USERNAME:orgId} (\[%{DATA:thread}\])?( )?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost} %{JAVAFILE:javaClass} %{URI:url}%{SPACE}(?<email>[\w.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:[.](?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*)%{SPACE}%{USERNAME:orgnisation}"]
}
}
}
过滤器{
如果[消息]中有“userSession”{
格罗克{
匹配=>[“消息”,
“%{TIMESTAMP\u ISO8601:TIMESTAMP\u match}%{USERNAME:orgId}(\[%{DATA:thread}\])?()?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost}%{JAVAFILE:javaClass}%{USERNAME:logmessage}:?%{SPACE SPACE}%{USERNAME:organization}%{SPACE SPACE SPACE}%{USERNAME:loginUserId}%{SPACE SPACE SPACE}%{USERNAME:sessionId}%{SPACE
}
}否则{
格罗克{
匹配=>[“消息”,
“%{TIMESTAMP\u ISO8601:TIMESTAMP\u match}%{USERNAME:orgId}(\[%{DATA:thread}\])?()?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost}%{JAVAFILE:javaClass}%{URI:url}%{SPACE}(?[\w.+=:-]+@[0-9A-Za-Za-z-]{0,62}(?:[0-9A-Za-Za-Za-z-]-]{0,62}))*)%{SPACE}%{USERNAME:organization}“]
}
}
}
谢谢你的回复。但是我的问题是上面提到的,如果else不能使用string.getting _grokparsefailure.因为你的匹配语句不正确。它无法编译。请再次检查。我已经用完整的配置文件编辑了我的帖子。使用你的解决方案后仍然会遇到相同的错误。请告诉我这有什么问题。
(?<email>[\w.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:[.](?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*)
%{TIMESTAMP_ISO8601:timestamp_match} %{USERNAME:orgId} (\[%{DATA:thread}\])?( )?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost} %{JAVAFILE:javaClass} %{URI:url}%{SPACE}(?<email>[\w.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:[.](?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*)%{SPACE}%{USERNAME:orgnisation}
filter {
if "userSession" in [message]{
grok {
match => [ "message",
"%{TIMESTAMP_ISO8601:timestamp_match} %{USERNAME:orgId} (\[%{DATA:thread}\])?( )?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost} %{JAVAFILE:javaClass} %{USERNAME:logmessage}:?%{SPACE}%{USERNAME:orgnisation}%{SPACE}%{USERNAME:loginUserId}%{SPACE}%{USERNAME:sessionId}%{SPACE}%{USERNAME:txnId}"]
}
} else {
grok {
match => [ "message",
"%{TIMESTAMP_ISO8601:timestamp_match} %{USERNAME:orgId} (\[%{DATA:thread}\])?( )?%{LOGLEVEL:level}%{SPACE}%{USERNAME:zhost} %{JAVAFILE:javaClass} %{URI:url}%{SPACE}(?<email>[\w.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:[.](?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*)%{SPACE}%{USERNAME:orgnisation}"]
}
}
}