logstash 中正则grok
来源:互联网 发布:北京网络大学 编辑:程序博客网 时间:2024/06/07 10:49
调试正则的工具: http://grokdebug.herokuapp.com/
注意:add 的field或者tag或者解析时字段的命令一定不能是关键字,如type
解析例子:
input { beats { add_field => {"myid"=>"nginx"} port => 5043 } beats { add_field => {"myid"=>"java"} port =>5044 }}filter { if [myid] == "nginx" { grok { match => { "message" => "^(?<domain>%{IP:ip}|(?:%{NOTSPACE:subsite}\.)?(?<site>[-a-zA-Z0-9]+?).com|%{NOTSPACE:unknown}) %{IPORHOST:dayuip} - (?<user>[a-zA-Z\.\@\-\+_%]+) \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} (?<request_path>(?<biz>\/[^/?]*)%{URIPATH:}?)(?:%{URIPARAM:request_param})? HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:%{BASE10NUM:request_duration}|-) (?:\"(?:%{URI:referrer}|-)\"|%{QS:referrer}) %{QS:agent} \"(?:%{IPORHOST:clientip}(?:[^\"]*)|-)\" %{QS:uidgot} %{QS:uidset} \"(?:[^\" ]* )*(?<upstream>[^ \"]*|-)\"$" } } date { locale => "en" timezone => "Asia/Shanghai" match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] } mutate { convert => { "bytes" => "integer" "request_duration" => "float"} } } if [myid] == "java" { if [source] =~ /.+-phplog.log/ { grok { match => { "message" => "\[entry\]\[ts\](?<ts>.*)\[/ts\]\[lv\](?<lv>.*)\[/lv\]\[th\](?<th>.*)\[/th\]\[lg\](?<lg>.*)\[/lg\]\[cl\](?<cl>.*)\[/cl\]\[m\](?<m>.*)\[/m\]\[ln\](?<ln>.*)\[/ln\]\[bsid\](?<bsid>.*)\[/bsid\]\[esid\](?<esid>.*)\[/esid\]\[txt\](?<txt>.*)\[/txt\]\[proj\](?<proj>.*)\[/proj\]\[iid\](?<iid>.*)\[/iid\]\[file\](?<file>.*)\[/file\]\[ex\](?<ex>.*)\[/ex\]\[type\](?<logtype>.*)\[/type\]\[/entry\]" } } mutate { #去掉没用的字段 remove_field => ["type","logtype"] } } else { grok { match => { "message" => "\[entry\]\[ts\](?<ts>.*)\[/ts\]\[lv\](?<lv>.*)\[/lv\]\[th\](?<th>.*)\[/th\]\[lg\](?<lg>.*)\[/lg\]\[cl\](?<cl>.*)\[/cl\]\[m\](?<m>.*)\[/m\]\[ln\](?<ln>.*)\[/ln\]\[bsid\](?<bsid>.*)\[/bsid\]\[esid\](?<esid>.*)\[/esid\](\[cmid\](?<cmid>.*)\[/cmid\])?\[txt\](?<txt>.*)\[/txt\]\[ex\](?<ex>.*)\[/ex\]\[/entry\]" } } grok { match => { "source" => "(?<proj>[^/]+)-(?<iid>\w+)-\w+\.log" } } } mutate { rename => { "source" => "file" "offset" => "seq" } } mutate { #去掉没用的字段 remove_field => ["input_type","count","tags","message","@version","beat","fields","offset","source"] } date { match => ["ts",'yyyy-MM-dd$HH:mm:ss.SSS','yyyy-MM-dd$HH:mm:ss.SSSZ'] } } # endif_javalog}output{ if [myid] == "nginx" { elasticsearch { hosts => ["192.168.5.201:9200"] index => "log-nginx-%{+YYYY.MM.dd}" } http { format=>"json" http_method=>"post"# # url => "http://192.168.1.68:8990/api/v1/metrics" url => "http://agg.we.com/api/v1/acclog" } } if [myid] == "java" { if [host] == "zy-java1" { elasticsearch { hosts => ["192.168.5.201:9200"] index => "log-java-call-uat-%{+YYYY.MM.dd}" } } if [host] == "JAVA1" { elasticsearch { hosts => ["192.168.5.201:9200"] index => "log-java-call-%{+YYYY.MM.dd}" } } if [host] == "JAVA2" { elasticsearch { hosts => ["192.168.5.201:9200"] index => "log-java-call-%{+YYYY.MM.dd}" } } }}阅读全文
0 0
- logstash 中正则grok
- logstash grok 正则 实例
- logstash grok正则调试
- logstash + grok 正则语法
- 关于Logstash中grok插件的正则表达式例子
- 关于Logstash中grok插件的正则表达式例子
- 关于Logstash中grok插件的正则表达式例子
- ELK中logstash下的grok正则表达式总结
- ELK中logstash下的grok正则表达式总结
- elastic案例:logstash grok正则
- logstash使用grok正则解析日志
- logstash 的 grok 正则表达式测试方法
- logstash 使用grok正则解析日志
- Logstash学习5_[logstash/patterns/grok-patterns]Logstash grok 内置正则
- logstash grok
- Logstash中grok filter example例子
- logstash之grok过滤
- logstash grok解析
- 图标编码 icon
- Hibernate中的query.setFirstResult(),query.setMaxResults();
- 解决 sublime text 3 初次安装emmet插件 出现There are no packages available for installation
- 如何成为一个AI产品经理?
- IPy处理ip地址
- logstash 中正则grok
- 腾讯移动互联网事业群(MIG)综合分析
- Qt常用UI控件读取、写入方法
- 520免费制作专属表白网站+源码+低价我爱你域名盘点
- WordPress添加底部漂浮栏
- 白马金羁诗二首
- numpy中mat和python的list转换
- HTML5---H5---CSS的三种书写形式
- Java基础8:Iterator和foreach循环
