使用Logstash

时间:2016-04-22 12:03:35

标签: aggregate logstash elastic-stack

有些日子我现在正在努力解决问题。

我的日志包含用户的操作,格式为:

例如:

07/04/2016 00:05:57.821 reqId:1请求开始消息正文

07/04/2016 00:06:57.821 reqId:1请求结束消息正文

07/04/2016 00:15:57.821 reqId:2请求开始消息正文

07/04/2016 01:35:57.821 reqId:3请求开始消息正文

每个操作唯一的请求ID。

每个操作都以“请求开始”开头,以“请求结束”结束。但是,有些操作永远不会结束(可能是由于Java错误),也就是说,特定请求ID不会匹配“请求结束”。

使用Logstash我想将包含“Request Begin”的事件与其匹配的“Request End”相关联,然后使用Kibana我想要检索所有不包含匹配的“Request End”的动作(即未完成的。

我遇到了聚合过滤器。但我无法弄清楚如何配置它以关联事件。

我的logstash.conf的片段如下:

if [request-status] == "Request Begin"{
            aggregate {
                task_id => "%{request-ID}"
                code => "map['request-complete']; event['request-complete']=0"
                map_action => "create_or_update"
                }
    }
    if [request-status] == "Request End"{
            aggregate {
                task_id => "%{request-ID}"
                code => "event ['request-complete'] = 1"
                map_action => "update"
                timeout => 600
                end_of_task => true
                      }
    }

输出结果为:

Logstash startup completed
{
             "message" => "07/04/2016 00:05:57.821 reqId:1 Request Begin message body",
            "@version" => "1",
          "@timestamp" => "2016-04-22T11:44:53.102Z",
      "real-timestamp" => "07/04/2016 00:05:57.821",
          "request-ID" => "1",
      "request-status" => "Request Begin",
        "message-body" => "message body",
    "request-complete" => 0
}
{
             "message" => "07/04/2016 00:06:57.821 reqId:1 Request End message body",
            "@version" => "1",
          "@timestamp" => "2016-04-22T11:44:53.400Z",
      "real-timestamp" => "07/04/2016 00:06:57.821",
          "request-ID" => "1",
      "request-status" => "Request End",
        "message-body" => "message body",
    "request-complete" => 1
}
{
             "message" => "07/04/2016 00:15:57.821 reqId:2 Request Begin message body",
            "@version" => "1",
          "@timestamp" => "2016-04-22T11:44:53.400Z",
      "real-timestamp" => "07/04/2016 00:15:57.821",
          "request-ID" => "2",
      "request-status" => "Request Begin",
        "message-body" => "message body",
    "request-complete" => 0
}
{
             "message" => "07/04/2016 01:35:57.821 reqId:3 Request Begin message body",
            "@version" => "1",
          "@timestamp" => "2016-04-22T11:44:53.401Z",
      "real-timestamp" => "07/04/2016 01:35:57.821",
          "request-ID" => "3",
      "request-status" => "Request Begin",
        "message-body" => "message body",
    "request-complete" => 0
}

我的问题:

我有什么方法可以更改“请求开始”操作的“请求完成”字段以匹配其相应的“请求结束”之一吗?

例如,我想从“request-complete => 0”更改“request-ID => 1”和“request-status => Request Begin”事件的“request-complete” “to”request-complete => 1“(与”request-ID => 1“和”request-status => Request End“事件的值相同。)

通过这种方式,我可以在Kibana中搜索具有“request-status = Request Begin”和“request-complete = 1”的事件(这将是没有匹配的结束事件的所有事件)。

提前感谢您提供任何帮助

0 个答案:

没有答案
相关问题
最新问题