logstash配置grok解析时间戳

时间:2017-01-31 12:40:25

标签: logstash logstash-grok logstash-configuration

我正在尝试解析

[7/1/05 13:41:00:516 PDT]

这是我为此编写的配置文件:

\[%{DD/MM/YY HH:MM:SS:S Z}\]

使用日期过滤器:

input {
file {
path => "logstash-5.0.0/bin/sta.log"
start_position => "beginning"
}
}
filter {
grok {
match =>" \[%{DATA:timestamp}\] "
}
date {
match => ["timestamp","DD/MM/YY HH:MM:SS:S ZZZ"]
}
}
output {
stdout{codec => "json"}
}

以上是我使用的配置。

并将此视为我的sta.log文件内容:

[7/1/05 13:41:00:516 PDT]

出现此错误:

[2017-01-31T12:37:47,444][ERROR][logstash.agent           ] fetched an invalid config {:config=>"input {\nfile {\npath => \"logstash-5.0.0/bin/sta.log\"\nstart_position => \"beginning\"\n}\n}\nfilter {\ngrok {\nmatch =>\"\\[%{DATA:timestamp}\\]\"\n}\ndate {\nmatch => [\"timestamp\"=>\"DD/MM/YY HH:MM:SS:S ZZZ\"]\n}\n}\noutput {\nstdout{codec => \"json\"}\n}\n\n", :reason=>"Expected one of #, {, ,, ] at line 12, column 22 (byte 184) after filter {\ngrok {\nmatch =>\"\\[%{DATA:timestamp}\\]\"\n}\ndate {\nmatch => [\"timestamp\""}

有人可以帮忙吗?

1 个答案:

答案 0 :(得分:1)

您忘记为grok过滤器指定输入内容。正确的配置如下所示:

input {
  file {
    path => "logstash-5.0.0/bin/sta.log"
    start_position => "beginning"
  }
}

filter {
  grok {
    match => {"message" => "\[%{DATA:timestamp} PDT\]"}
  }
  date {
    match => ["timestamp","dd/MM/yy HH:mm:ss:SSS"]
  }
}

output {
  stdout{codec => "json"}
}

如需进一步参考,请查看grok文档here