我是Logstash的新手。目前我有一个logstash.conf文件,它将错误日志发送到zabbix项目。 我已经应用了一个自定义grok过滤器来查找ERROR | Error | error关键字,并基于此将输出重定向到zabbix项。 但是,我希望logstash在过滤结果计算结果为true时发送增量计数器,而不是简单地发送相应的Log。 我怎样才能做到这一点?
以下是我正在使用的日志文件的片段。
input {
file {
path => "/root/sample.log"
type => "string"
}
}
# The filter part of this file is commented out to indicate that it is
# optional.
filter {
mutate {
add_field => { "[@metadata][error]" => "error" }
add_field => { "[@metadata][counter]" => "1" }
add_field => { "myhost" => "logstash" }
}
if "grokked" not in [tags] {
grok {
patterns_dir => ["/root/logstash-5.5.0/pattern"]
match => { "message" => "%{ERROR:log_level}" }
add_tag => ["ERROR", "grokked"]
}
}
}
output {
stdout { codec => rubydebug }
if "ERROR" in [tags]{
zabbix
{
zabbix_server_host => "192.168.56.102"
zabbix_host => "myhost"
zabbix_key => "[@metadata][error]"
#zabbix_value => "[@metadata][counter]"
}
答案 0 :(得分:1)
ruby {
code => 'event.set("error_count", event.get("message").scan(/Error/i).length)'
}
这样你就会有一个名为error_count的字段,error中出现了message(不区分大小写)的时间。
答案 1 :(得分:0)
这就是我的做法,最后:
input {
file {
path => "/root/sample.log"
type => "string"
}
}
filter {
if "grokked" not in [tags]
{
grok {
patterns_dir => ["/root/logstash-5.5.0/pattern"]
match => { "message" => "%{ERROR:log_level}" }
add_tag => ["ERROR", "grokked"]
add_field => { "[@metadata][myhost]" => "logstash" }
add_field => { "[@metadata][error]" => "error" }
add_field => { "zabbix_message" => "The following has been detected in code:: %{message}"}
}
}
if "ERROR" in [tags]{
metrics {
meter => "error"
add_tag => "metric"
add_field => { "[@metadata][myhost]" => "logstash" }
add_field => { "[@metadata][error]" => "error" }
flush_interval => 30
#clear_interval => 60
add_field => { "zabbix_message" => "The current Error count is: %{[error][count]}" }
}
}
}
output
{
#stdout { codec => rubydebug }
if "metric" in [tags]{
zabbix
{
zabbix_server_host => "192.168.56.102"
zabbix_key => "[@metadata][error]"
zabbix_host => "[@metadata][myhost]"
zabbix_value => "zabbix_message"
}
}
if "ERROR" in [tags]{
zabbix
{
zabbix_server_host => "192.168.56.102"
zabbix_key => "[@metadata][error]"
zabbix_host => "[@metadata][myhost]"
zabbix_value => "zabbix_message"
}
}
}
我还创建了一个自定义模式文件来匹配模式: /root/logstash-5.5.0/pattern
特征码文件的内容为:
错误(ERROR | error | Error)