logstash-filter不尊重正则表达式

时间:2016-04-18 08:16:35

标签: regex logstash logstash-grok

我正在读取文件作为输入,然后传递给它进行过滤,因此根据[type]输出if / else(stdout)。

这是conf部分:

filter {
    if [path] =~ "error" {
        mutate {
            replace => { "type" => "ERROR_LOGS"}
        }
        grok {
            match => {"error_examiner" => "%{GREEDYDATA:err}"}
        }
        if [err] =~ "9999" {
            if [err] =~ "invalid offset" {
                mutate {
                    replace => {"type" => "DISCARDED_ERROR_LOGS"}
                }
                grok {
                    match => {"message" => "\[%{DATA:date}\] \[%{WORD:logtype} \] \[%{IPORHOST:ip}\]->\[http://search:9999/%{WORD:searchORsuggest}/%{DATA:askme_tag}\?%{DATA:paramstr}\] \[%{DATA:reason}\]"}
                }
                date {
                    match => [ "date", "YYYY-MM-DD aaa HH:mm:ss" ]
                    locale => en
                }
                geoip {
                    source => "ip"
                    target => "geo_ip"
                }
                kv {
                    source => "paramstr"
                    trimkey => "&\?\[\],"
                    value_split => "="
                    target => "params"
                }
            }
            else {
                mutate {
                    replace => {"type" => "ACCEPTED_ERROR_LOGS"}
                }
                grok {
                    match => {
                        "message" => "\[%{DATA:date}\] \[%{WORD:logtype} \] \[%{WORD:uptime}\/%{NUMBER:downtime}\] \[%{IPORHOST:ip}\]->\[http://search:9999/%{WORD:searchORsuggest}\/%{DATA:askme_tag}\?%{DATA:paramstr}\]"
                    }
                }
                date {
                    match => [ "date" , "YYYY-MM-DD aaa HH:mm:ss" ]
                    locale => en
                }
                geoip {
                    source => "ip"
                    target => "geo_ip"
                }
                kv {
                    source => "paramstr"
                    trimkey => "&\?\[\],"
                    value_split => "="
                    target => "params"
                }
            }
        }
        else if [err] =~ "Exception" {
            mutate {
                    replace => {"type" => "EXCEPTIONS_IN_ERROR_LOGS"}
            }
            grok {
                match => { "message" => "%{GREEDYDATA}"}
            }
        }
    }
    else if [path] =~ "info" {
        mutate {
            replace => {"type" => "INFO_LOGS"}
        }
        grok {
            match => {
                "info_examiner" => "%{GREEDYDATA:info}"
            }
        }
        if [info] =~ "9999" {
            mutate {
                replace => {"type" => "ACCEPTED_INFO_LOGS"}
            }
            grok {
                    match => {
                        "message" => "\[%{DATA:date}\] \[%{WORD:logtype} \] \[%{WORD:uptime}\/%{NUMBER:downtime}\]( \[%{WORD:qtype}\])?( \[%{NUMBER:outsearch}/%{NUMBER:insearch}\])? \[%{IPORHOST:ip}\]->\[http://search:9999/%{WORD:searchORsuggest}/%{DATA:askme_tag}\?%{DATA:paramstr}\]"
                    }
            }
            date {
                match => [ "date" , "YYYY-MM-DD aaa HH:mm:ss" ]
                locale => en
            }
            geoip {
                source => "ip"
                target => "geo_ip"
            }
            kv {
                source => "paramstr"
                trimkey => "&\?\[\],"
                value_split => "="
                target => "params"
            }
        }
        else {
            mutate {replace => {"type" => "DISCARDED_INFO_LOGS"}}
            grok {
                match => {"message" => "%{GREEDYDATA}"}
            }
        }
    }
}

我测试过的grok regexps工作http://grokdebug.herokuapp.com/

然而,这部分不起作用:

grok {
            match => {"error_examiner" => "%{GREEDYDATA:err}"}
        }
        if [err] =~ "9999" {

我想知道那里有什么问题?

1 个答案:

答案 0 :(得分:0)

实际上,我已经修好了。以下是我想与其他人分享的内容,以及我在使用logstash进行初步实验时所学到的内容,因为文档和其他资源并不是那么有用......

  1. “error_examiner”或“info_examiner”无效,解析“message”中的实例/事件行
  2. geoip不适用于内部ips。
  3. kv,为此你必须指定field_split和value_split,如果它们不是a = 1 b = 2,但是说a:1& b:2然后field_Split是&,value_split是:
  4. stdout,默认情况下,如果选择的编解码器是json,请选择rubydebug。

    5. 谢谢,

相关问题
最新问题