Logstash Grok筛选器每次匹配获取多个值
我有一个服务器,它以自定义日志格式将访问日志发送到logstash,并使用logstash过滤这些日志并将它们发送到Elastisearch 日志行如下所示:Logstash Grok筛选器每次匹配获取多个值,logstash,logstash-grok,Logstash,Logstash Grok,我有一个服务器,它以自定义日志格式将访问日志发送到logstash,并使用logstash过滤这些日志并将它们发送到Elastisearch 日志行如下所示: 0.0.0.0 - GET / 200 - 29771 3 ms ELB-HealthChecker/1.0\n 并使用此grok筛选器进行分析: grok { match => [ "message", "%{IP:remote_host} %{USER:remote_user} %{WORD:method} %{
0.0.0.0 - GET / 200 - 29771 3 ms ELB-HealthChecker/1.0\n
grok {
match => [
"message", "%{IP:remote_host} %{USER:remote_user} %{WORD:method} %{URIPATHPARAM:requested_uri} %{NUMBER:status_code} - %{NUMBER:content_length} %{NUMBER:elapsed_time:int} ms %{GREEDYDATA:user_agent}",
"message", "%{IP:remote_host} - %{WORD:method} %{URIPATHPARAM:requested_uri} %{NUMBER:status_code} - %{NUMBER:content_length} %{NUMBER:elapsed_time:int} ms %{GREEDYDATA:user_agent}",
"message", "%{IP:remote_host} %{USER:remote_user} %{WORD:method} %{URIPATHPARAM:requested_uri} %{NUMBER:status_code} - - %{NUMBER:elapsed_time:int} ms %{GREEDYDATA:user_agent}",
"message", "%{IP:remote_host} - %{WORD:method} %{URIPATHPARAM:requested_uri} %{NUMBER:status_code} - - %{NUMBER:elapsed_time:int} ms %{GREEDYDATA:user_agent}"
]
add_field => {
"protocol" => "HTTP"
}
}
知道为什么我每个日志都有多个匹配项吗?Grok不应该在成功解析的第一个匹配上中断吗?很可能您有多个正在加载的配置文件。如果查看输出,特别是
已用时间已用时间:int{
"_source": {
"message": " 0.0.0.0 - GET / 200 - 29771 3 ms ELB-HealthChecker/1.0\n",
"tags": [
"bunyan"
],
"@version": "1",
"host": "0.0.0.0:0000",
"remote_host": [
"0.0.0.0",
"0.0.0.0"
],
"remote_user": [
"-",
"-"
],
"method": [
"GET",
"GET"
],
"requested_uri": [
"/",
"/"
],
"status_code": [
"200",
"200"
],
"content_length": [
"29771",
"29771"
],
"elapsed_time": [
"3",
3
],
"user_agent": [
"ELB-HealthChecker/1.0",
"ELB-HealthChecker/1.0"
],
"protocol": [
"HTTP",
"HTTP"
]
}
}