在我的日志文件中,我有以下条目:
2014-06-25 12:36:18,176 [10] ((null)) INFO [s=(null)] [u=(null)] Hello from Serilog, running as "David"! [Program]
2014-06-25 12:36:18,207 [10] ((null)) WARN [s=(null)] [u=(null)] =======MyOwnLogger====== Hello from log4net, running as David! [MyOwnLogger]
2014-06-25 12:36:18,209 [10] ((null)) ERROR [s=(null)] [u=(null)] =======MyOwnLogger====== Hello from log4net, running as David! [MyOwnLogger]
分别是loglevel INFO,WARN和ERROR。
我想要做的只是向Elasticsearch输出那些ERROR级别的条目。这是我的Logstash配置文件:
input {
file {
path => "Somepath/*.log"
}
}
# This filter doesn't work
filter {
if [loglevel] != "error" {
drop { }
}
}
output {
elasticsearch { host => localhost }
stdout {}
}
实际上,目前没有任何内容被发送到Elasticsearch。我知道它与过滤器有关,因为如果它不存在,所有条目都会被发送到Elastisearch。
答案 0 :(得分:4)
试试这个grok过滤器。它适用于我的日志
filter {
grok {
match => ["message","%{TIMESTAMP_ISO8601:logtime} \[%{NUMBER}\] \(\(%{WORD}\)\) %{WORD:loglevel} %{GREEDYDATA:other}"]
}
if [loglevel]!= "ERROR" {
drop {}
}
}
首先,你需要了解loglevel,然后你可以使用该字段来做if else条件并决定是否丢弃。