Logstash可以自动识别日志中的KV对并解析它们,就像splunk一样。
我实际上写了一个GROK过滤器,它解析字段并定义了一个KV过滤器,以便可以解析出其他字段。但是有些日志是如此随机,以至于它们与我的GROK不匹配,而且我必须将KV对解析为字段。
我写了一个GROK:
%{MONTHDAY} %{MONTH} %{YEAR} %{TIME},%{NUMBER:duration} %{WORD:loglevel}%{SPACE}%{WORD:Activity} \[\{%{DATA:foo1}\}\]: %{GREEDYDATA:foo2}
在logstash配置文件中,我将在字段foo1和foo2上定义KV过滤器。
以下是我希望将其解析为附加字段的日志行:
[%t] 08 Aug 2017 18:55:38,179 INFO ApiConsumer [{applicationSystemCode=monicapp-app, clientIP=10.x.x.x, clusterId=Cluster-Id-NA, containerId=Container-Id-NA, correlationId=205c2806-2f97-f42f-00f5-9a43aafb9eb3, domainName=defaultDomain, hostName=10.x.x.x.domain.com, messageId=10.202.100.34-4041d41d-75f3-4282-9aab-dd1ab17ecdf3, userId=ANONYMOUS, webAnalyticsCorrelationId=B347BC083EB9DCE4ED5005506F1F1E63|}]: Accept="applications/json; v=1.0" Api-key="272df4bd-cb92-467e-b20b-4059e235b68e" Client-Correlation-Id="205c2806-2f97-f42f-00f5-9a43aafb9eb3" Content-Type="application/json" URL="https://mus.domain.com/private/appm/details-search"
[%t] 08 Aug 2017 18:55:38,203 INFO ApiConsumer [{applicationSystemCode=monicapp-app, clientIP=10.x.x.x, clusterId=Cluster-Id-NA, containerId=Container-Id-NA, correlationId=205c2806-2f97-f42f-00f5-9a43aafb9eb3, domainName=defaultDomain, hostName=ip-x-x-x.domain.com, messageId=10.x.x.34-4041d41d-75f3-4282-9aab-dd1ab17ecdf3, userId=ANONYMOUS, webAnalyticsCorrelationId=B347BC083EB9DCE4ED5005506F1F1E63|}]: KpiMetric="Cta" TransactionName="ApplicationDetail" TransactionStatus="Success" User="Associate(firstName=mike, lastName=daniel, role=Consultant, email=mike.daniel@domain.com, electronicId=mkd)"
第二个日志行中的挑战我还要解析User="Associate(firstName=mike, lastName=daniel, role=Consultant, email=mike.daniel@domain.com, electronicId=mkd)"
有什么想法吗?