Regex 获取日志堆栈日志分析错误:grokparsefailure
我尝试在我们的应用程序中集成logstash,在custompattern文件中包括以下模式Regex 获取日志堆栈日志分析错误:grokparsefailure,regex,logstash,logstash-grok,Regex,Logstash,Logstash Grok,我尝试在我们的应用程序中集成logstash,在custompattern文件中包括以下模式 Path: <path>/custom_pattern -- This is custom pattern file. I include this path in conf. Content: ACCESSLOGPARSE \[%{HTTPDATE:timestamp}\] %{IPORHOST:clientip} (?: xff=%{IPORHOST:xffIp}) 当我执行logst
Path: <path>/custom_pattern -- This is custom pattern file. I include this path in conf.
Content: ACCESSLOGPARSE \[%{HTTPDATE:timestamp}\] %{IPORHOST:clientip} (?: xff=%{IPORHOST:xffIp})
当我执行logstash时,我得到了以下输出,其中日志没有被解析
{
"message" => "[09/Jan/2015:00:00:02 +0000] 127.0.0.1 xff=-",
"@version" => "1",
"@timestamp" => "2015-01-20T15:30:10.865Z",
"host" => "Salvador",
"path" => "/tmp/jboss-logs.log",
"type" => "jboss_access",
"tags" => [
[0] "_grokparsefailure"
]
}
{
"message" => "[09/Jan/2015:00:10:17 +0000] 100.20.10.11 xff=100.40.11.3",
"@version" => "1",
"@timestamp" => "2015-01-20T15:30:10.869Z",
"host" => "Salvador",
"path" => "/tmp/jboss-logs.log",
"type" => "jboss_access",
"tags" => [
[0] "_grokparsefailure"
]
}
问题是日志中的“xff”密钥可能包含ip或“-”。
我也尝试过以下模式。但它们也不起作用
ACCESSLOGPARSE \[%{HTTPDATE:timestamp}\] %{IPORHOST:clientip} (?: xff=%{IPORHOST:xffIp}|-)
and
ACCESSLOGPARSE \[%{HTTPDATE:timestamp}\] %{IPORHOST:clientip} (?: xff=%{IPORHOST:xffIp}|xff=-)
此模式的解析器有什么问题?您的第一个模式仅使用IPORHOST,它不支持“-”作为有效值 您的第二个模式(?:xff=%{IPORHOST:xffIp}|-)正在查找“xff=1.2.3.4”或“-”。您的输入是“xff=-”,这不匹配 还要注意,“(?:”后面的空格很重要,应该删除 这些工作: xff=(?:%{IPORHOST:xffIp}|-) (但当值为“-”时,xffIp将为空) 使用更通用的模式: (?:xff=%{NOTSPACE:xffIp}) 或者您可以定义一个新模式: IPORHOSTORDASH(?:%{IPORHOST}|-) 并使用它: (?:xff=%{IPORHOSTORDASH:xffIp}) 将解析后的值放入xffIP字段
如果您的行中有更多的键/值字段,您应该查看kv{}过滤器。谢谢。您的解决方案有效。但只有在我在“(?:”旁边保留了空格之后你知道为什么会这样吗?你能和我分享一下我可以完全学习这些图案创作的链接吗?我搜索了它&我找不到一个可行的。没有“完全学习”的地方关于ELK的任何信息。你必须在这里、博客上、IRC上等收集片段。对于模式,最好是源代码()或调试器()中的“模式”选项卡()为你提供服务
{
"message" => "[09/Jan/2015:00:00:02 +0000] 127.0.0.1 xff=-",
"@version" => "1",
"@timestamp" => "2015-01-20T15:30:10.865Z",
"host" => "Salvador",
"path" => "/tmp/jboss-logs.log",
"type" => "jboss_access",
"tags" => [
[0] "_grokparsefailure"
]
}
{
"message" => "[09/Jan/2015:00:10:17 +0000] 100.20.10.11 xff=100.40.11.3",
"@version" => "1",
"@timestamp" => "2015-01-20T15:30:10.869Z",
"host" => "Salvador",
"path" => "/tmp/jboss-logs.log",
"type" => "jboss_access",
"tags" => [
[0] "_grokparsefailure"
]
}
ACCESSLOGPARSE \[%{HTTPDATE:timestamp}\] %{IPORHOST:clientip} (?: xff=%{IPORHOST:xffIp}|-)
and
ACCESSLOGPARSE \[%{HTTPDATE:timestamp}\] %{IPORHOST:clientip} (?: xff=%{IPORHOST:xffIp}|xff=-)