我使用Logstash将错误日志从应用服务器转发到ES。除了将日志时间戳作为字符串传递给ES之外,一切正常。
这是我的日志格式
[Date:2015-03-25 01:29:09,554] [ThreadId:4432] [HostName:AEPLWEB1] [Host:(null)] [ClientIP:(null)] [Browser:(null)] [UserAgent :(null)] [PhysicalPath:(null)] [Url:(null)] [QueryString:(null)] [Referrer:(null)] [Carwale.Notifications.ExceptionHandler] System.InvalidCastException:无法转换类型的对象' Carwale.Entity.CMS.Articles.ArticleDetails'输入' Carwale.Entity.CMS.Articles.ArticlePageDetails'。 at Carwale.Cache.Core.MemcacheManager.GetFromCacheCore [T](String key,TimeSpan cacheDuration,Func`1 dbCallback,Boolean& isKeyFirstTimeCreated)
过滤logstash转发器的配置
filter {
multiline {
pattern => "^\[Date:%{TIMESTAMP_ISO8601}"
negate => true
what => "previous"
}
grok {
match => [ "message", "(?:Date:%{TIMESTAMP_ISO8601:log_timestamp})\] \[(?:ThreadId:%{NUMBER:ThreadId})\] \[(?:HostName:%{WORD:HostName})\] \[(?:Host:\(%{WORD:Host})\)\] \[(?:ClientIP:\(%{WORD:ClientIP})\)\] \[(?:Browser:\(%{WORD:Browser})\)\] \[(?:UserAgent:\(%{WORD:UserAgent})\)\] \[(?:PhysicalPath:\(%{WORD:PhysicalPath})\)\] \[(?:Url:\(%{WORD:Url})\)\] \[(?:QueryString:\(%{WORD:QueryString})\)\] \[(?:Referrer:\(%{WORD:Referrer})\)\] \[%{DATA:Logger}\] %{GREEDYDATA:err_message}" ]
}
date {
match => [ "log_timestamp", "MMM dd YYY HH:mm:ss","MMM d YYY HH:mm:ss", "ISO8601" ]
target => "log_timestamp"
}
mutate {
convert => ["ThreadId", "integer"]
}
}
我如何在ES中约会?请帮忙。提前致谢。
答案 0 :(得分:0)
我有类似的问题。现在使用以下解决方法修复它。
grok {
match => {
"message" => "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}[T ]%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}"
}
}
grok{
match => {
"second" => "(?<asecond>(^[^,]*))" }
}
mutate {
add_field => {
"timestamp" => "%{year}-%{month}-%{day} %{hour}:%{minute}:%{asecond}"
}
}
date{ match => [ "timestamp", "yyyy-MM-dd HH:mm:ss" ] timezone=> "UTC" target => "log_timestamp" }
谢谢,