Logstash Grok覆盖不起作用

时间:2016-11-25 09:34:39

标签: logstash elastic-stack logstash-grok

我有以下logstash grok语句,如果该字段包含字符串,则应该运行#34;引起"在这种情况下,不同的模式应用于它并被覆盖但由于某种原因它确实有效。正则表达式模式肯定是单独工作的,问题在于下面的逻辑。感谢任何帮助,谢谢

grok {
        patterns_dir => ["./patterns"]
        match => ["message", "%{GREEDYDATA}\n%{JAVA_EXCEPTION_SHORT:exception}"]
}

if [exception] =~ "Caused" {
         grok {
            patterns_dir => ["./patterns"]
            match => ["exception", "{JAVA_EXCEPTION_LONG:exception}"]
            overwrite => ["exception"]
        }
}

自定义模式:

JAVA_EXCEPTION_LONG (?<=^Caused by: ).*?Exception
JAVA_EXCEPTION_SHORT ^.+Exception

示例日志消息:

2016-11-15 05:19:28,801 ERROR [App-Initialisation-Thread] appengine.java:520 Failed to initialize external authenticator myapp Support Access || appuser@vm23-13:/mnt/data/install/assembly app-1.4.12@cad85b224cce11eb5defa126030f21fa867b0dad
java.lang.IllegalArgumentException: Could not check if provided root is a directory
    at com.myapp.io.AbstractRootPrefixedFileSystem.checkAndGetRoot(AbstractRootPrefixedFileSystem.java:67)
    at com.myapp.io.AbstractRootPrefixedFileSystem.<init>(AbstractRootPrefixedFileSystem.java:30)
    at com.myapp.io.s3.S3FileSystem.<init>(S3FileSystem.java:32)
    at com.myapp.io.s3.S3FileSystemDriver.loadFileSystem(S3FileSystemDriver.java:60)
    at com.myapp.io.FileSystems.getFileSystem(FileSystems.java:55)
    at com.myapp.authentication.ldap.S3LdapConfigProvider.initializeCloudFS(S3LdapConfigProvider.java:77)
    at com.myapp.authentication.ldap.S3LdapConfigProvider.loadS3Config(S3LdapConfigProvider.java:51)
    at com.myapp.authentication.ldap.S3LdapConfigProvider.getLdapConfig(S3LdapConfigProvider.java:42)
    at com.myapp.authentication.ldap.DelegatingLdapConfigProvider.getLdapConfig(DelegatingLdapConfigProvider.java:45)
    at com.myapp.authentication.ldap.LdapExternalAuthenticatorFactory.create(LdapExternalAuthenticatorFactory.java:28)
    at com.myapp.authentication.ldap.LdapExternalAuthenticatorFactory.create(LdapExternalAuthenticatorFactory.java:10)
    at com.myapp.frob.appengine.getExternalAuthenticators(appengine.java:516)
    at com.myapp.frob.appengine.startUp(appengine.java:871)
    at com.myapp.frob.appengine.startUp(appengine.java:754)
    at com.myapp.jsp.KewServeInitContextListener$1.run(QServerInitContextListener.java:104)
    at java.lang.Thread.run(Thread.java:745)
Caused by: java.nio.file.NoSuchFileException: fh-ldap-config/
    at com.upplication.s3fs.util.S3Utils.getS3ObjectSummary(S3Utils.java:55)
    at com.upplication.s3fs.util.S3Utils.getS3FileAttributes(S3Utils.java:64)
    at com.upplication.s3fs.S3FileSystemProvider.readAttributes(S3FileSystemProvider.java:463)
    at com.myapp.io.AbstractRootPrefixedFileSystem.checkAndGetRoot(AbstractRootPrefixedFileSystem.java:61)

1 个答案:

答案 0 :(得分:1)

grok过滤器失败,因为您在此行中缺少%

match => ["exception", "{JAVA_EXCEPTION_LONG:exception}"]

它应该是这样的:

match => ["exception", "%{JAVA_EXCEPTION_LONG:exception}"]

由于解析失败,因此未覆盖字段exception

相关问题
最新问题