我正在使用logstash 2.3.4
我收到的lignes基本上是apache日志,最后得分很小(通过机器学习计算,感谢Spark)。这是一行:
hackazon.lc:80 192.168.100.133 - - [28/Jul/2016:11:07:46 +0200] "GET / HTTP/1.1" 200 10442 "http://192.168.100.123/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36" pred:0.0859964494393
如您所见,第一部分是标准的apache日志,结尾是pred:0.0859964494393。
日志由ELK处理以进行可视化,我还希望在评分pred上有一些指标。因此,我使用了timer中的metrics选项。这是我的logstash配置文件:
input {
file {
path => '/home/spark/LogStash/*'
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG} pred:%{NUMBER:pred_score}"}
}
if "_grokparsefailure" in [tags] {
drop { }
}
mutate {
convert => {"pred_score" => "float"}
}
geoip {
source => "clientip"
}
metrics {
timer => ["pred_score" , "%{duration}"]
}
}
output {
# elasticsearch { }
stdout { codec => rubydebug }
# riemann{
# map_fields => true
# }
}
我期望获得具有pred得分的均值,ax等的输出。但是我只有0,除了计数和费率。
以下是计时器的输出之一:
{
"@version" => "1",
"@timestamp" => "2016-07-28T09:11:39.522Z",
"message" => "thamine-OptiPlex-755",
"pred_score" => {
"count" => 10,
"rate_1m" => 0.5533102865966679,
"rate_5m" => 1.2937302900528778,
"rate_15m" => 1.490591754983121,
"min" => 0.0,
"max" => 0.0,
"stddev" => 0.0,
"mean" => 0.0,
"p1" => 0.0,
"p5" => 0.0,
"p10" => 0.0,
"p90" => 0.0,
"p95" => 0.0,
"p99" => 0.0,
"p100" => 0.0
}
}
你知道我做错了吗?
提前感谢!
答案 0 :(得分:1)
您的grok模式看起来不错,但在您的logstash脚本中IF EXISTS(SELECT * FROM information_schema.COLUMNS
WHERE TABLE_NAME = 'MY_TABLE' AND COLUMN_NAME = 'COL6')
BEGIN
--if my table has col 6 I want this to run
INSERT INTO TMP_TABLE (COL1,COL2,COL3,COL4,COL5,COL6)
SELECT COL1,COL2,COL3,COL4,COL5,COL6 FROM MY_TABLE
END
ELSE
BEGIN
--If it does not I want this to run
INSERT INTO TMP_TABLE (COL1,COL2,COL3,COL4,COL5)
SELECT COL1,COL2,COL3,COL4, COL5 FROM MY_TABLE
END
未知。 %{duration}和您的模式都没有COMBINEDAPACHELOG变量。
将您的计时器配置更改为:
duration因为timer => ["pred_score" , "%{pred_score}"]
是模式中的变量