运行logstash时出现随机错误:
16:30:26.240 [[main]> worker0]错误logstash.pipeline - 异常 管道工,管道停止处理新事件,请 检查您的过滤器配置并重新启动Logstash。 {"例外" = GT;#, "回溯" => [" org / jruby / RubyString.java:3101:在
gsub'", "org/jruby/RubyString.java:3069:ingsub&#39;&#34;, &#34; /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.1.3/lib/logstash/filters/mutate.rb:317:在gsub_dynamic_fields'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.1.3/lib/logstash/filters/mutate.rb:308:ingsub&#39;&#34;,&#34; org / jruby / RubyArray.java:1613:ineach'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.1.3/lib/logstash/filters/mutate.rb:290:ingsub&#39;&#34;, &#34; /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.1.3/lib/logstash/filters/mutate.rb:207:在filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:145:indo_filter&#39;&#34 ;, &#34; /usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:164:在multi_filter'", "org/jruby/RubyArray.java:1613:in各&#39;&#34 ;, &#34; /usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:161:在multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filter_delegator.rb:41:inmulti_filter&#39;&#34;,&#34;(eval):4135:initialize'", "org/jruby/RubyArray.java:1613:in每个&#39;&#34;,&#34;(eval):4131:ininitialize'", "org/jruby/RubyProc.java:281:in致电&#39;&#34;,&#34;(eval):997:infilter_func'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:295:infilter_batch&#39;&#34;,&#34; org / jruby / RubyProc.java:281:call'", "/usr/share/logstash/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:192:in每个&#39;&#34;,&#34; org / jruby /RubyHash.java:1342:ineach'", "/usr/share/logstash/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:191:in每个&#39;&#34;, &#34; /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:294:在filter_batch'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:282:inworker_loop&#39;&#34 ;, &#34; /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:258:在start_workers'"]} 16:30:26.542 [LogStash::Runner] FATAL logstash.runner - An unexpected error occurred! {:error=>#<InterruptedRegexpError: Regexp Interrupted>, :backtrace=>["org/jruby/RubyString.java:3101:inGSUB&#39;&#34 ;, &#34; org / jruby / RubyString.java:3069:在gsub'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.1.3/lib/logstash/filters/mutate.rb:317:ingsub_dynamic_fields&#39;&#34;中, &#34; /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.1.3/lib/logstash/filters/mutate.rb:308:在gsub'", "org/jruby/RubyArray.java:1613:in各&#39;&#34 ;, &#34; /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.1.3/lib/logstash/filters/mutate.rb:290:在gsub'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.1.3/lib/logstash/filters/mutate.rb:207:in滤波器&#39;&#34 ;, &#34; /usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:145:在do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:164:inmulti_filter&#39;&#34;,&#34; org / jruby / RubyArray.java:1613:在each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:161:inmulti_filter&#39;&#34;中, &#34; /usr/share/logstash/logstash-core/lib/logstash/filter_delegator.rb:41:在multi_filter'", "(eval):4135:in初始化&#39;&#34 ;, &#34; org / jruby / RubyArray.java:1613:在each'", "(eval):4131:in初始化&#39;&#34;,&#34; org / jruby / RubyProc.java:281:在call'", "(eval):997:infilter_func& #39;&#34 ;, &#34; /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:295:在filter_batch'", "org/jruby/RubyProc.java:281:in呼叫&#39;&#34 ;, &#34; /usr/share/logstash/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:192:在each'", "org/jruby/RubyHash.java:1342:in各&#39;&#34 ;, &#34; /usr/share/logstash/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:191:在each'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:294:infilter_batch&#39;&#34 ;, &#34; /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:282:在worker_loop'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:258:instart_workers&#39;&#34;]}
我的logstash配置文件是:
input {
file {
type => "SystemError"
path => "/app/systemerr/**/*"
start_position => "beginning"
codec => multiline {
pattern => "^\s"
what => "previous"
}
}
file {
type => "SystemOut"
path => "/app/systemout/**/*"
start_position => "beginning"
codec => multiline {
pattern => "^\["
negate => true
what => "previous"
}
}
file {
type => "Errorlog"
path => "/app/error/**/*"
start_position => "beginning"
codec => multiline {
pattern => "^FATAL"
negate => true
what => "previous"
}
}
file {
type => "Messagelog"
path => "/app/message/**/*"
start_position => "beginning"
codec => multiline {
pattern => "^ERROR"
negate => true
what => "previous"
}
}
}
filter {
if [type] == "SystemError" {
grok {
match => { "message" => "\[%{DATA:timestamp}] %{BASE16NUM:threadID} (?<shortname>\b[A-Za-z0-9\$]{2,}\b)%{SPACE}%{WORD:loglevel}%{SPACE} %{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
mutate {
gsub => ["timestamp", " GMT\+05\:30", ""]
}
date {
match => ["timestamp", "M/dd/yy HH:mm:ss:SSS"]
}
if ([message] =~ "^\tat") {
drop {}
}
if ([path] =~ "113") {
mutate {
add_field => { "server" => "113" }
}
} else {
mutate {
add_field => { "server" => "117" }
}
}
}
if [type] == "SystemOut" {
grok {
match => { "message" => "\[%{DATA:timestamp}] %{BASE16NUM:threadID} (?<shortname>\b[A-Za-z0-9\$]{2,}\b)%{SPACE}%{WORD:loglevel}%{SPACE} %{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
mutate {
gsub => ["timestamp", " GMT\+05\:30", ""]
}
date {
match => ["timestamp", "M/dd/yy HH:mm:ss:SSS"]
}
if ([path] =~ "113") {
mutate {
add_field => { "server" => "113" }
}
} else {
mutate {
add_field => { "server" => "117" }
}
}
}
if [type] == "Errorlog" {
grok {
match => { "message" => "%{LOGLEVEL:loglevel} \| %{TIMESTAMP_ISO8601:timestamp} \| %{DATA:string} \: %{DATA:WebContainer} \| %{DATA:code} \| %{DATA:country} \| %{DATA:user} \| %{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
date {
match => ["timestamp", "yyyy-M-dd HH:mm:ss,SSS"]
}
mutate { remove_field => [ "string" ] }
if ([path] =~ "113") {
mutate {
add_field => { "server" => "113" }
}
} else {
mutate {
add_field => { "server" => "117" }
}
}
}
if [type] == "Messagelog" {
grok {
match => { "message" => "%{LOGLEVEL:loglevel} \| %{TIMESTAMP_ISO8601:timestamp} \| %{DATA:string} \: %{DATA:WebContainer} \| %{DATA:code} \| %{DATA:country} \| %{DATA:user} \| %{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
date {
match => ["timestamp", "yyyy-M-dd HH:mm:ss,SSS"]
}
mutate {
remove_field => [ "string" ]
}
if ([path] =~ "113") {
mutate {
add_field => { "server" => "113" }
}
} else {
mutate {
add_field => { "server" => "117" }
}
}
}
}
配置文件有什么问题吗?请帮忙。
答案 0 :(得分:1)
您可能会获得_grokparsefailure,因此timestamp字段未设置。您可以使用if块包围mutate / date,如下所示:
if "_grokparsefailure" not in [tags] {
mutate {
gsub => ["timestamp", " GMT\+05\:30", ""]
}
date {
match => ["timestamp", "M/dd/yy HH:mm:ss:SSS"]
}
}
您可能还想添加else { drop {} },但您应该首先找出不匹配的内容。