我对logstash很新,所以这可能是一个简单的错误,但我无法找到错误的位置。我已经安装了logstash,我正在尝试解析我从自定义java程序生成的一些日志。我正在寻找一条特定的路线:
ERROR ProcessStatus 05/24/2017 12:13:58 RETC:0 : Request.evaluate:PDP Response decision: Permit
ERROR ProcessStatus 05/24/2017 12:13:58 RETC:0 : Request.evaluate:PDP Response decision: NotApplicable
我已经定义了以下配置文件:
input {
file {
type => "log"
path => [ "/var/log/tomcat7/catalina.out" ]
}
}
filter {
grok {
match => [ "message" , "%{WORD:text1} %{WORD:text2} \[%{DATA:date}\] %{WORD:text3}:%{NUMBER:num1} : %{WORD:text4}.%{WORD:text5}:%{WORD:text6} %{WORD:text7} %{WORD:text8} %{WORD:decision}"]
remove_field => [ "message" ]
}
date {
match => [ "timestamp", "MM/dd/YYYY HH:mm:ss" ]
remove_field => [ "timestamp" ]
}
}
output {
stdout {
codec => rubydebug
}
}
当在日志文件中收到该行时,我收到一个解析错误:
{
"path" => "/var/log/tomcat7/catalina.out",
"@timestamp" => 2017-05-24T14:31:18.494Z,
"@version" => "1",
"host" => "acio-web01",
"message" => "ERROR ProcessStatus 05/24/2017 16:31:17 RETC:0 : Request.evaluate:PDP Response decision: Indeterminate",
"type" => "log",
"tags" => [
[0] "_grokparsefailure"
]
}
我怀疑解析错误与日期格式有关,但我无法找到正确的定义方式。我知道我做错了什么?
答案 0 :(得分:1)
您的grok模式与您的数据不匹配。在它显示的消息中,日期周围没有[],但您的模式假定存在。
您可以将日志行和模式粘贴到https://grokdebug.herokuapp.com/并播放,直到匹配为止。