Question

我用正则表达式编写了一个grokfilter，并且在Grok Debugger中配置工作没有错误但是当我想在logstash.conf中匹配时，结果始终是＆＃34; grokparsefailure＆＃34;

我想要匹配的消息是： 10.196.3.3 - - [01 / Aug / 2014：00：00：16 +0200]＆＃34; GET / HTTP / 1.1＆＃34; 200 1507＆＃34; - ＆＃34; ＆＃34; - ＆＃34;

我在grok调试器中的过滤器是：

(?<clientIP>[^ ]*)[^\[]*\[(?<timestamp>.{26})] "(?<httpRequest>[^"]*)" (?<httpStatusCode>\d{3}) (?<bytesSent>[^ ]*) "(?<Referer>[^"]*)" "(?<userAgent>[^"]*)"

完整的conf是：

input {

file {
type => 'jboss_log'
path => '/home/christian/Downloads/access-logs-2014-08/vlpr133-2014-08/jBoss_http_access*.log'
start_position => 'beginning'
}
}

filter {
        if [type] == 'jboss_log' {
        grok {
match => [' message', '(?<clientIP>[^ ]*)[^\[]*\[(?<timestamp>.{26})] "(?<httpRequest>[^"]*)" (?<httpStatusCode>\d{3}) (?<bytesSent>[^ ]*) "(?<Referer>[^"]*)" "(?<userAgent>[^"]*)"']

#tag_on_failure => [ ]

}}}

output {
stdout{codec => json }
elasticsearch {cluster => 'elasticsearch' }
}

所以也许有人可以帮助我吗？！

Answer 1

up解决方案是'message'之前有一个空格：D

用正则表达式写的grok过滤器总是失败/ _grokparsefailure

1 个答案: