Kibana/Logstash 不使用 grok 模式提取数据
问题描述 投票:0回答:1
出于某种我不知道的原因,elasticsearch 不会使用 grok 模式从日志文件中提取数据:
input {
file {
path => "/mnt/tutorialdata/www1/access.log"
start_position => "beginning"
}
}
filter {
grok {
match => {
"message" => "%{IPORHOST:client} %{USER:ident} %{USER:auth} \[(?<timestamp>%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME})\] \"%{WORD:method} %{URIPATHPARAM:request} HTTP %{NUMBER:httpversion}\" %{NUMBER:response} %{NUMBER:bytes} \"%{URI:referrer}\" \"%{GREEDYDATA:agent}\" %{NUMBER:duration}"
}
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss" ]
}
}
output {
elasticsearch {
user => "logstash_internal"
password => "${LOGSTASH_INTERNAL_PASSWORD}"
hosts => "elasticsearch:9200"
}
}
样本数据:
209.160.24.63 - - [18/Mar/2024:18:22:16] "GET /product.screen?productId=WC-SH-A02&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 3878 "http://www.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 349
209.160.24.63 - - [18/Mar/2024:18:22:16] "GET /oldlink?itemId=EST-6&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 1748 "http://www.buttercupgames.com/oldlink?itemId=EST-6" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 731
209.160.24.63 - - [18/Mar/2024:18:22:17] "GET /product.screen?productId=BS-AG-G09&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 2550 "http://www.buttercupgames.com/product.screen?productId=BS-AG-G09" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 422
209.160.24.63 - - [18/Mar/2024:18:22:19] "POST /category.screen?categoryId=STRATEGY&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 407 "http://www.buttercupgames.com/cart.do?action=remove&itemId=EST-7&productId=PZ-SG-G05" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 211
209.160.24.63 - - [18/Mar/2024:18:22:20] "GET /product.screen?productId=FS-SG-G03&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 2047 "http://www.buttercupgames.com/category.screen?categoryId=STRATEGY" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 487
209.160.24.63 - - [18/Mar/2024:18:22:20] "POST /cart.do?action=addtocart&itemId=EST-21&productId=FS-SG-G03&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 1201 "http://www.buttercupgames.com/product.screen?productId=FS-SG-G03" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 256
209.160.24.63 - - [18/Mar/2024:18:22:21] "POST /cart.do?action=purchase&itemId=EST-21&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 486 "http://www.buttercupgames.com/cart.do?action=addtocart&itemId=EST-21&categoryId=STRATEGY&productId=FS-SG-G03" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 293
209.160.24.63 - - [18/Mar/2024:18:22:22] "POST /cart/success.do?JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 3280 "http://www.buttercupgames.com/cart.do?action=purchase&itemId=EST-21" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 952
209.160.24.63 - - [18/Mar/2024:18:22:21] "GET /cart.do?action=remove&itemId=EST-11&productId=WC-SH-A01&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 3619 "http://www.buttercupgames.com/oldlink?itemId=EST-11" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 763
209.160.24.63 - - [18/Mar/2024:18:22:22] "GET /oldlink?itemId=EST-14&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 1352 "http://www.buttercupgames.com/cart.do?action=addtocart&itemId=EST-14&productId=WC-SH-A01" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 180
112.111.162.4 - - [18/Mar/2024:18:26:36] "GET /product.screen?productId=WC-SH-G04&JSESSIONID=SD7SL8FF5ADFF4964 HTTP 1.1" 200 778 "http://www.buttercupgames.com/category.screen?categoryId=SHOOTER" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5" 194
112.111.162.4 - - [18/Mar/2024:18:26:37] "POST /cart.do?action=addtocart&itemId=EST-18&productId=WC-SH-G04&JSESSIONID=SD7SL8FF5ADFF4964 HTTP 1.1" 200 215 "http://www.buttercupgames.com/product.screen?productId=WC-SH-G04" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5" 727
112.111.162.4 - - [18/Mar/2024:18:26:38] "POST /cart.do?action=purchase&itemId=EST-18&JSESSIONID=SD7SL8FF5ADFF4964 HTTP 1.1" 200 1228 "http://www.buttercupgames.com/cart.do?action=addtocart&itemId=EST-18&categoryId=SHOOTER&productId=WC-SH-G04" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5" 430
112.111.162.4 - - [18/Mar/2024:18:26:38] "POST /cart/error.do?msg=CreditDoesNotMatch&JSESSIONID=SD7SL8FF5ADFF4964 HTTP 1.1" 200 1232 "http://www.buttercupgames.com/cart.do?action=purchase&itemId=EST-18" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5" 841
112.111.162.4 - - [18/Mar/2024:18:26:37] "GET /category.screen?categoryId=NULL&JSESSIONID=SD7SL8FF5ADFF4964 HTTP 1.1" 505 2445 "http://www.buttercupgames.com/category.screen?categoryId=NULL" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5" 393
112.111.162.4 - - [18/Mar/2024:18:26:38] "GET /oldlink?itemId=EST-7&JSESSIONID=SD7SL8FF5ADFF4964 HTTP 1.1" 503 1207 "http://www.buttercupgames.com/category.screen?categoryId=NULL" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5" 704
74.125.19.106 - - [18/Mar/2024:18:32:15] "GET /cart.do?action=addtocart&itemId=EST-16&productId=DC-SG-G02&JSESSIONID=SD4SL7FF10ADFF4998 HTTP 1.1" 200 1425 "http://www.buttercupgames.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 375
74.125.19.106 - - [18/Mar/2024:18:32:15] "GET /category.screen?categoryId=NULL&JSESSIONID=SD4SL7FF10ADFF4998 HTTP 1.1" 503 2039 "http://www.buttercupgames.com/oldlink?itemId=EST-13" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 533
117.21.246.164 - - [18/Mar/2024:18:36:02] "POST /cart.do?action=changequantity&itemId=EST-21&productId=WC-SH-A01&JSESSIONID=SD9SL6FF8ADFF5015 HTTP 1.1" 200 809 "http://www.buttercupgames.com" "Googlebot/2.1 (http://www.googlebot.com/bot.html)" 643
117.21.246.164 - - [18/Mar/2024:18:36:03] "POST /cart.do?action=addtocart&itemId=EST-27&productId=DC-SG-G02&JSESSIONID=SD9SL6FF8ADFF5015 HTTP 1.1" 200 1291 "http://www.buttercupgames.com/cart.do?action=addtocart&itemId=EST-27&productId=DC-SG-G02" "Googlebot/2.1 (http://www.googlebot.com/bot.html)" 795
117.21.246.164 - - [18/Mar/2024:18:36:03] "GET /category.screen?categoryId=STRATEGY&JSESSIONID=SD9SL6FF8ADFF5015 HTTP 1.1" 200 3182 "http://www.buttercupgames.com/oldlink?itemId=EST-26" "Googlebot/2.1 (http://www.googlebot.com/bot.html)" 190
117.21.246.164 - - [18/Mar/2024:18:36:03] "GET /cart.do?action=view&itemId=EST-19&productId=DB-SG-G01&JSESSIONID=SD9SL6FF8ADFF5015 HTTP 1.1" 200 2477 "http://www.buttercupgames.com/product.screen?productId=DB-SG-G01" "Googlebot/2.1 (http://www.googlebot.com/bot.html)" 636
117.21.246.164 - - [18/Mar/2024:18:36:05] "POST /product.screen?productId=DB-SG-G01&JSESSIONID=SD9SL6FF8ADFF5015 HTTP 1.1" 200 3792 "http://www.buttercupgames.com/cart.do?action=view&itemId=EST-7&productId=DB-SG-G01" "Googlebot/2.1 (http://www.googlebot.com/bot.html)" 360
117.21.246.164 - - [18/Mar/2024:18:36:06] "GET /category.screen?categoryId=ACCESSORIES&JSESSIONID=SD9SL6FF8ADFF5015 HTTP 1.1" 200 689 "http://www.buttercupgames.com/oldlink?itemId=EST-7" "Googlebot/2.1 (http://www.googlebot.com/bot.html)" 673
117.21.246.164 - - [18/Mar/2024:18:36:07] "GET /oldlink?itemId=EST-17&JSESSIONID=SD9SL6FF8ADFF5015 HTTP 1.1" 200 924 "http://www.buttercupgames.com/oldlink?itemId=EST-17" "Googlebot/2.1 (http://www.googlebot.com/bot.html)" 156
请注意,我已经在 Grok 调试器上成功测试了该模式,我可以看到包含所有匹配项的输出 JSON。但是,当我导航到 Kibana 上的 Observability/Logs/Stream 时,grok 列不存在(尽管我可以在左侧搜索它们,但没有具有这些值的行)。
1个回答
0
投票
投票
好消息是问题不是来自你的 grok。
我在本地尝试过它,它的工作原理就像一个魅力(这是logstash stdout输出):
{
"referrer" => "http://www.buttercupgames.com",
"response" => "200",
"path" => "C:/path/to/my/access.log",
"@timestamp" => 2024-03-18T17:32:15.000Z,
"host" => "HOSTNAME",
"message" => "74.125.19.106 - - [18/Mar/2024:18:32:15] \"GET /cart.do?action=addtocart&itemId=EST-16&productId=DC-SG-G02&JSESSIONID=SD4SL7FF10ADFF4998 HTTP 1.1\" 200 1425 \"http://www.buttercupgames.com\" \"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6\" 375\r",
"client" => "74.125.19.106",
"ident" => "-",
"agent" => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6",
"duration" => "375",
"request" => "/cart.do?action=addtocart&itemId=EST-16&productId=DC-SG-G02&JSESSIONID=SD4SL7FF10ADFF4998",
"method" => "GET",
"httpversion" => "1.1",
"@version" => "1",
"bytes" => "1425",
"auth" => "-",
"timestamp" => "18/Mar/2024:18:32:15"
}
现在,如果您对同一个文件运行两次,第二次将被忽略,因为logstash将认为它已经计算出来。 为了说服自己,您可以尝试将日志文件重命名为
access2.log现在文件输入插件对我来说仍然有点棘手,我无法进一步帮助您了解如何更改此行为。
最新问题
- 如何用express.static修改静态文件内容?
- 读取并组合多个文件的每一行,并对该组合运行一个函数(以块的形式?)[R]
- 如何创建www-data:www-data
- 如何重命名arm elf .so文件中的动态符号?
- Swift:您没有权限将文件保存在“DerivedData”文件夹中
- PowerShell,自动化 Java JRE 11(Adoptium、Eclipse Temurin)安装和配置
- React 状态未在函数中更新
- 可以将Sketch中的Material主题直接导出到React吗?
- 如何使用 Mobile(T53/T58) 在本机反应中集成 Zebra 扫描仪(2D 方式成像器)
- 删除运算符[]或内存分配问题(?)
- Android:如果从最近的任务启动应用程序,活动正在使用旧意图
- 如何在 BigQuery 中排序日期和时间
- 寻找 Excel 公式来计算不包括周末的日期
- 是否可以合并2个initializer_list?
- Fusion Chart 每刷新 5 次以上页面就会加载 1 个(.NET 上的 Razor 页面)
- 错误TS2307:找不到模块“类验证器”或其相应的类型声明
- 获取 docker-entrypoint.sh:架构匹配时执行格式错误
- 如何检查 PHP 会话是否为空? [重复]
- 如何将32长度字符串(num类型)转换为primitive long
- 如何让单词中的每个字符具有不同的颜色?
© www.soinside.com 2019 - 2024. All rights reserved.