我有两种来自一个来源的日志消息。我试图使用这样的配置解析它们:
filter {
if [type] == "my_type" {
grok {
match => [ "message", "field1:" ]
break_on_match => false
add_tag => "field1_message"
}
}
if [type] == "my_type" {
grok {
match => [ "message", "field2:" ]
break_on_match => false
add_tag => "field2_message"
}
}
}
Field1和Field2对于每种类型都是uniq。我的正则表达式和模式是正确的。当我运行这个过滤器时,只有第一部分过滤器匹配,而从第二部分我只接收_grokparsefailure。你能帮我解决这个问题吗?
答案 0 :(得分:1)
我不知道你的完整配置是什么。对我来说,我已根据您的要求进行了测试,它对我有用。 以下是我的配置:
input {
file {
type => "A"
path => "/path/to/file/A/server.log.1"
}
file {
type => "B"
path => "/path/to/file/B/server.log.2"
}
}
filter{
if [type] == "A" {
grok {
match => [ "message", "field1: %{WORD:field1}" ]
break_on_match => false
add_tag => "field1_message"
}
}
if [type] == "B" {
grok {
match => [ "message", "field2: %{WORD:field2}" ]
break_on_match => false
add_tag => "field2_message"
}
}
}
output {
stdout {
codec => "rubydebug"
}
}
这是server.log.1
field1:你好
相应的输出是
{
"message" => "field1: hello",
"@version" => "1",
"@timestamp" => "2014-10-17T03:18:34.421Z",
"type" => "A",
"host" => "ABC",
"path" => "/path/to/file/A/server.log.1",
"field1" => "hello",
"tags" => [
[0] "field1_message"
]
}
server.log.2
field2:world
输出
{
"message" => "field2: world",
"@version" => "1",
"@timestamp" => "2014-10-17T03:18:33.451Z",
"type" => "B",
"host" => "ABC",
"path" => "/path/to/file/B/server.log.2",
"field2" => "world",
"tags" => [
[0] "field2_message"
]
}
希望这可以帮到你,我使用的是logstash 1.4.1。