我用正则表达式编写了一个grokfilter,并且在Grok Debugger中配置工作没有错误但是当我想在logstash.conf中匹配时,结果始终是" grokparsefailure"
我想要匹配的消息是: 10.196.3.3 - - [01 / Aug / 2014:00:00:16 +0200]" GET / HTTP / 1.1" 200 1507" - " " - "
我在grok调试器中的过滤器是:
(?<clientIP>[^ ]*)[^\[]*\[(?<timestamp>.{26})] "(?<httpRequest>[^"]*)" (?<httpStatusCode>\d{3}) (?<bytesSent>[^ ]*) "(?<Referer>[^"]*)" "(?<userAgent>[^"]*)"
完整的conf是:
input {
file {
type => 'jboss_log'
path => '/home/christian/Downloads/access-logs-2014-08/vlpr133-2014-08/jBoss_http_access*.log'
start_position => 'beginning'
}
}
filter {
if [type] == 'jboss_log' {
grok {
match => [' message', '(?<clientIP>[^ ]*)[^\[]*\[(?<timestamp>.{26})] "(?<httpRequest>[^"]*)" (?<httpStatusCode>\d{3}) (?<bytesSent>[^ ]*) "(?<Referer>[^"]*)" "(?<userAgent>[^"]*)"']
#tag_on_failure => [ ]
}}}
output {
stdout{codec => json }
elasticsearch {cluster => 'elasticsearch' }
}
所以也许有人可以帮助我吗?!
答案 0 :(得分:0)
up解决方案是'message'之前有一个空格:D