我有这样的消息要由grok过滤器解析:
“ @ timestamp”:“ 2019-12-16T08:57:33.804Z”,“ @ version”:“ 1”,“消息”:“ [可选[admin]](0.0.0.0,0.0.0.0 | 0.0.0.0)9999批准2019-12-16T08:57:30.414732Z“,” logger_name“:” com.company.asd.asd.web.rest.MyClass“,” thread_name“:” XNIO-1task-5“,” level“:” INFO“,” level_value“:20000,” app_name“:” asd“,” instance_id“:” asd-123“,” app_port“:” 8080“,” version“:” 0.0.1-SNAPSHOT“
我尝试http://grokdebug.herokuapp.com/解析我的日志,并编写了这样的正则表达式来做到这一点:
“ @ timestamp”:“%{TIMESTAMP_ISO8601:logTime}”,“ @ version”:“%{INT:version}”,“ message”:“ [\ D * [%{WORD:login}]](%{IPV4:forwardedFor} \,%{IPV4:remoteAddr} \ |%{IPV4:remoteAddr})%{WORD:identificator}%{WORD:methodName}%{TIMESTAMP_ISO8601:actionaDate}%{GREEDYDATA:all}
它似乎在此调试器中正常工作,但是当我尝试将此行添加到.conf文件中的过滤器中时,它写入的所有内容都是_grokparsefailure并且我的消息保持不变,我的过滤器:
filter {
grok {
match => { "message" => ""@timestamp":"%{TIMESTAMP_ISO8601:logTime}","@version":"%{INT:version}","message":"\[\D*\[%{WORD:login}]\] \(%{IPV4:forwardedFor}\, %{IPV4:remoteAddr}\|%{IPV4:remoteAddr}\) %{WORD:identificator} %{WORD:methodName} %{TIMESTAMP_ISO8601:actionaDate}%{GREEDYDATA:all}" }
}
}
尝试下面的骗子,
filter {
grok {
match => { "message" => "\"@timestamp\":\"%{TIMESTAMP_ISO8601:logTime}\",\"@version\":\"%{INT:version}\",\"message\":\"\[\D*\[%{WORD:login}]\] \(%{IPV4:forwardedFor}\, %{IPV4:remoteAddr}\|%{IPV4:remoteAddr}\) %{WORD:identificator} %{WORD:methodName} %{TIMESTAMP_ISO8601:actionaDate}%{GREEDYDATA:all}" }
}
}