Question

基本上我需要过滤掉日期 - 严重 - JAVACLASSNAME - 错误信息。

这对我有用..但它只完成了一半。（？[0-9] {4} - [0-9] {2} - [0-9] {2} [0-9] {2}：[0-9] {2}：[0-9 ] {2}，[0-9] {3}）％{WORD：Severity}（？：％{GREEDYDATA：msg}）

它没有显示Javaclass ..！

这是我得到的输出

＆＃13;

{
  "Timestamp": [
    [
      "2015-03-03 03:12:16,978"
    ]
  ],
  "Severity": [
    [
      "INFO"
    ]
  ],
  "Error_Message": [
    [
      " [http-bio-16006-exec-71] [XYZ.ABC.JLM.app.task.ERT] [app:/saas reqid:23121221 jsid:* aid:* uid: org: vorg: un:] - Received to update queued for monitorId=54213213JBNJBSJBSJBS, worklow=8u298u2189u312, session=21684216814321"
    ]
  ]
}

＆＃13;

的logline

2015-03-03 03:12:16,978 INFO [http-bio-16006-exec-71] [XYZ.ABC.JLM.app.task.ERT] [app:/saas reqid:23121221 jsid:* aid:* uid: org: vorg: un:] - Received to update queued for monitorId=54213213JBNJBSJBSJBS, worklow=8u298u2189u312, session=21684216814321

Answer 1

这应该有效：

filter {
  grok {
    match => [
      "message",
      "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:severity} \[(?<threadname>[^\]]+)\] \[(?<classname>[^\]]+)\] %{GREEDYDATA:message}"
    ]
    overwrite => ["message"]
  }
}

具有此日志行的Grok模式

1 个答案: