我的logstash过滤器在调试器中正确但在搜索我在kibana中测试的确切消息时没有显示字段。这是我的过滤器:
filter {
if [type] == "syslog" {
grok {
match => { 'message' => '%{SYSLOG5424LINE}' }
}
syslog_pri {
syslog_pri_field_name => 'syslog5424_pri'
}
date {
match => [ 'syslog5424_ts', 'ISO8601' ]
}
}
以下是我的日志消息示例:
<134>1 2017-01-23T10:54:44.587136-08:00 mcmp mapp - - close ('xxx', 32415)
似乎过滤器没有应用,我重新启动了我的logstash服务并在grok调试器中进行了测试。任何想法都错了吗?
答案 0 :(得分:2)
看起来它对我来说是正常的。
我用:
创建了test.confinput {
stdin {}
}
filter {
grok {
match => { 'message' => '%{SYSLOG5424LINE}' }
}
syslog_pri {
syslog_pri_field_name => 'syslog5424_pri'
}
date {
match => [ 'syslog5424_ts', 'ISO8601' ]
}
}
output {
stdout { codec => "rubydebug" }
}
然后像这样测试:
echo "<134>1 2017-01-23T10:54:44.587136-08:00 mcmp mapp - - close ('xxx', 32415)" | bin/logstash -f test.conf
它作为输出提供的事件:
{
"syslog_severity_code" => 6,
"syslog_facility" => "local0",
"syslog_facility_code" => 16,
"syslog5424_ver" => "1",
"message" => "<134>1 2017-01-23T10:54:44.587136-08:00 mcmp mapp - - close ('xxx', 32415)",
"syslog5424_app" => "mapp",
"syslog5424_msg" => "close ('xxx', 32415)",
"syslog_severity" => "informational",
"tags" => [],
"@timestamp" => 2017-01-23T18:54:44.587Z,
"syslog5424_ts" => "2017-01-23T10:54:44.587136-08:00",
"syslog5424_pri" => "134",
"@version" => "1",
"host" => "xxxx",
"syslog5424_host" => "mcmp"
}
包含SYSLOG5424LINE模式包含的所有字段。