用正则表达式写的grok过滤器总是失败/ _grokparsefailure

时间:2014-11-10 12:18:00

标签: regex logstash grok

我用正则表达式编写了一个grokfilter,并且在Grok Debugger中配置工作没有错误但是当我想在logstash.conf中匹配时,结果始终是" grokparsefailure"

我想要匹配的消息是:     10.196.3.3 - - [01 / Aug / 2014:00:00:16 +0200]" GET / HTTP / 1.1" 200 1507" - " " - "

我在grok调试器中的过滤器是:

(?<clientIP>[^ ]*)[^\[]*\[(?<timestamp>.{26})] "(?<httpRequest>[^"]*)" (?<httpStatusCode>\d{3}) (?<bytesSent>[^ ]*) "(?<Referer>[^"]*)" "(?<userAgent>[^"]*)"

完整的conf是:

input {

file {
type => 'jboss_log'
path => '/home/christian/Downloads/access-logs-2014-08/vlpr133-2014-08/jBoss_http_access*.log'
start_position => 'beginning'
}
}

filter {
        if [type] == 'jboss_log' {
        grok {
match => [' message', '(?<clientIP>[^ ]*)[^\[]*\[(?<timestamp>.{26})] "(?<httpRequest>[^"]*)" (?<httpStatusCode>\d{3}) (?<bytesSent>[^ ]*) "(?<Referer>[^"]*)" "(?<userAgent>[^"]*)"']

#tag_on_failure => [ ]

}}}

output {
stdout{codec => json }
elasticsearch {cluster => 'elasticsearch' }
}

所以也许有人可以帮助我吗?!

1 个答案:

答案 0 :(得分:0)

up解决方案是'message'之前有一个空格:D