我们有海狸将日志发送到logstash。两个日志源是nginx错误日志和haproxy日志。 beaver正在为日志类型添加标记,我们希望根据类型解析日志。我们编写了以下配置文件,但是当logstash解析它时,我们收到错误:can't convert Array into String(logstash -t -f logstash.conf表示配置正常)。
任何想法如何解决这个问题?
此处logstash.conf
input {
udp {
port => 25826
buffer_size => 2048
codec => json
}
}
filter {
if "nginx-error" in [tags] {
grok {
match => {
# 2015/12/24 14:27:38 [error] 8#0: *43449 upstream timed ...
"message" => "%{DATESTAMP:timestamp} \[%{DATA}\] %{GREEDYDATA:message}"
}
overwrite => [ "message" ]
add_field => {
"levelname" => "ERROR"
"levelno" => 20
}
}
}
if "haproxy-log" in [tags] {
grok {
match => {
# [WARNING] 005/130716 (9) : Server app/app1 is ...
"message" => "\[%{DATA:levelname}\] %{GREEDYDATA:message}"
overwrite => [ "message" ]
add_field => {
"levelname" => "%{levelname}"
"orig_levelname" => "%{levelname}"
}
}
}
mutate {
gsub => [
# Change ALERT to ERROR for easy query
"levelname", "ALERT", "ERROR"
]
}
}
}
output {
stdout {
codec => rubydebug
}
}
FWIW:我得到了一个nswer in the logstash forums。