如何ras存储在elk堆栈中的日志的日志级别

时间:2015-09-17 15:56:20

标签: elasticsearch logstash

是否可以提高存储在ELK堆栈上的日志的日志级别?现在我发现所有日志级别都存储在我的elk堆栈中,我只想将那些警告和错误日志存储在堆栈中,怎么做?

2 个答案:

答案 0 :(得分:1)

我认为您正在寻找logstash drop filter,它允许您根据一些条件过滤掉日志,在您的案例中调试,信息等。从文档中,过滤器可能如下所示:

filter {
  if [loglevel] == "debug" {
    drop { }
  }
}

https://www.elastic.co/guide/en/logstash/current/plugins-filters-drop.html

此外,您的问题与此类似:

Logstash drop filter for event

答案 1 :(得分:0)

如果您有一个日志文件test.log,如下所示:

DEBUG | 2008-09-06 10:51:44,817 | DefaultBeanDefinitionDocumentReader.java | 86 | Loading bean definitions
WARN | 2008-09-06 10:51:44,848 | AbstractBeanDefinitionReader.java | 185 | Loaded 5 bean definitions from location pattern [samContext.xml]
INFO | 2008-09-06 10:51:44,848 | XmlBeanDefinitionReader.java | 323 | Loading XML bean definitions from class path resource [tmfContext.xml]
DEBUG | 2008-09-06 10:51:44,848 | DefaultDocumentLoader.java | 72 | Using JAXP provider [com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl]
ERROR | 2008-09-06 10:51:44,848 | BeansDtdResolver.java | 72 | Found beans DTD [http://www.springframework.org/dtd/spring-beans.dtd] in classpath: spring-beans.dtd
ERROR | 2008-09-06 10:51:44,864 | DefaultBeanDefinitionDocumentReader.java | 86 | Loading bean definitions
DEBUG | 2008-09-06 10:51:45,458 | AbstractAutowireCapableBeanFactory.java | 411 | Finished creating instance of bean 'MS-SQL'

您可以为要保留的邮件定义if条件,并删除其他邮件:

input {
    file {
        path => "/your/path/test.log"
        sincedb_path => "/your/path/test.idx"
        start_position => "beginning"
    }
}

filter {
    if [message] =~ "WARN" or [message] =~ "ERROR" {

    } else {
        drop {}
    }
}

output {
    stdout {
        codec => rubydebug      
    }
}

然后,您的结果将如下所示:

{
       "message" => "WARN | 2008-09-06 10:51:44,848 | AbstractBeanDefinitionReader.java | 185 | Loaded 5 bean definitions from location pattern [samContext.xml]",
      "@version" => "1",
    "@timestamp" => "2015-09-17T18:30:24.897Z",
          "host" => "MacBook-Pro-de-Alain.local",
          "path" => "/Users/Alain/Workspace/elk/logstash-1.5.4/config/filter/test.log"
}
{
       "message" => "ERROR | 2008-09-06 10:51:44,848 | BeansDtdResolver.java | 72 | Found beans DTD [http://www.springframework.org/dtd/spring-beans.dtd] in classpath: spring-beans.dtd",
      "@version" => "1",
    "@timestamp" => "2015-09-17T18:30:24.898Z",
          "host" => "MacBook-Pro-de-Alain.local",
          "path" => "/Users/Alain/Workspace/elk/logstash-1.5.4/config/filter/test.log"
}
{
       "message" => "ERROR | 2008-09-06 10:51:44,864 | DefaultBeanDefinitionDocumentReader.java | 86 | Loading bean definitions",
      "@version" => "1",
    "@timestamp" => "2015-09-17T18:30:24.899Z",
          "host" => "MacBook-Pro-de-Alain.local",
          "path" => "/Users/Alain/Workspace/elk/logstash-1.5.4/config/filter/test.log"
}

此致 阿兰

相关问题
最新问题