Question

我正在读取文件作为输入，然后传递给它进行过滤，因此根据[type]输出if / else（stdout）。

这是conf部分：

filter {
    if [path] =~ "error" {
        mutate {
            replace => { "type" => "ERROR_LOGS"}
        }
        grok {
            match => {"error_examiner" => "%{GREEDYDATA:err}"}
        }
        if [err] =~ "9999" {
            if [err] =~ "invalid offset" {
                mutate {
                    replace => {"type" => "DISCARDED_ERROR_LOGS"}
                }
                grok {
                    match => {"message" => "\[%{DATA:date}\] \[%{WORD:logtype} \] \[%{IPORHOST:ip}\]->\[http://search:9999/%{WORD:searchORsuggest}/%{DATA:askme_tag}\?%{DATA:paramstr}\] \[%{DATA:reason}\]"}
                }
                date {
                    match => [ "date", "YYYY-MM-DD aaa HH:mm:ss" ]
                    locale => en
                }
                geoip {
                    source => "ip"
                    target => "geo_ip"
                }
                kv {
                    source => "paramstr"
                    trimkey => "&\?\[\],"
                    value_split => "="
                    target => "params"
                }
            }
            else {
                mutate {
                    replace => {"type" => "ACCEPTED_ERROR_LOGS"}
                }
                grok {
                    match => {
                        "message" => "\[%{DATA:date}\] \[%{WORD:logtype} \] \[%{WORD:uptime}\/%{NUMBER:downtime}\] \[%{IPORHOST:ip}\]->\[http://search:9999/%{WORD:searchORsuggest}\/%{DATA:askme_tag}\?%{DATA:paramstr}\]"
                    }
                }
                date {
                    match => [ "date" , "YYYY-MM-DD aaa HH:mm:ss" ]
                    locale => en
                }
                geoip {
                    source => "ip"
                    target => "geo_ip"
                }
                kv {
                    source => "paramstr"
                    trimkey => "&\?\[\],"
                    value_split => "="
                    target => "params"
                }
            }
        }
        else if [err] =~ "Exception" {
            mutate {
                    replace => {"type" => "EXCEPTIONS_IN_ERROR_LOGS"}
            }
            grok {
                match => { "message" => "%{GREEDYDATA}"}
            }
        }
    }
    else if [path] =~ "info" {
        mutate {
            replace => {"type" => "INFO_LOGS"}
        }
        grok {
            match => {
                "info_examiner" => "%{GREEDYDATA:info}"
            }
        }
        if [info] =~ "9999" {
            mutate {
                replace => {"type" => "ACCEPTED_INFO_LOGS"}
            }
            grok {
                    match => {
                        "message" => "\[%{DATA:date}\] \[%{WORD:logtype} \] \[%{WORD:uptime}\/%{NUMBER:downtime}\]( \[%{WORD:qtype}\])?( \[%{NUMBER:outsearch}/%{NUMBER:insearch}\])? \[%{IPORHOST:ip}\]->\[http://search:9999/%{WORD:searchORsuggest}/%{DATA:askme_tag}\?%{DATA:paramstr}\]"
                    }
            }
            date {
                match => [ "date" , "YYYY-MM-DD aaa HH:mm:ss" ]
                locale => en
            }
            geoip {
                source => "ip"
                target => "geo_ip"
            }
            kv {
                source => "paramstr"
                trimkey => "&\?\[\],"
                value_split => "="
                target => "params"
            }
        }
        else {
            mutate {replace => {"type" => "DISCARDED_INFO_LOGS"}}
            grok {
                match => {"message" => "%{GREEDYDATA}"}
            }
        }
    }
}

我测试过的grok regexps工作http://grokdebug.herokuapp.com/

然而，这部分不起作用：

grok {
            match => {"error_examiner" => "%{GREEDYDATA:err}"}
        }
        if [err] =~ "9999" {

我想知道那里有什么问题？

Answer 1

实际上，我已经修好了。以下是我想与其他人分享的内容，以及我在使用logstash进行初步实验时所学到的内容，因为文档和其他资源并不是那么有用......

“error_examiner”或“info_examiner”无效，解析“message”中的实例/事件行
geoip不适用于内部ips。
kv，为此你必须指定field_split和value_split，如果它们不是a = 1 b = 2，但是说a：1＆amp; b：2然后field_Split是＆amp;，value_split是：
stdout，默认情况下，如果选择的编解码器是json，请选择rubydebug。

谢谢，

logstash-filter不尊重正则表达式

1 个答案: