我收到了这样的日志消息:
<pattern>
%d{yyyy-MM-dd HH:mm:ss} %level %logger{0} %mdc - %msg %n
</pattern>
2018-03-22 13:17:47 INFO SomeController [X-Span-Export = false, method = someMethod(),X-B3-SpanId = deef3c47193ec4a6, X-B3-TraceId = 0cecd4b78e1d8357] - 参数:[id = 40]
在%mdc中我可以看到一些数据,如你所见:span和trace id,方法名称和导出。
我需要将邮件拆分为单独的字段,并使用logstash通过弹性搜索发送给kibana。
所以我创建了grok过滤器:
grok {
match => { "message" => "%{DATESTAMP:date} %{WORD:level} %{WORD:class} \[X-Span-Export=%{GREEDYDATA:export}, method=%{GREEDYDATA:method}, X-B3-SpanId=%{GREEDYDATA:span_id}, X-B3-TraceId=%{GREEDYDATA:trace_id}\] - %{GREEDYDATA:log_message}" }
}
结果:
{
"date": [
"18-03-22 13:17:47"
],
"level": [
"INFO"
],
"class": [
"SomeController"
],
"export": [
"false"
],
"method": [
"someMethod()"
],
"span_id": [
"deef3c47193ec4a6"
],
"trace_id": [
"0cecd4b78e1d8357"
],
"log_message": [
"Parameters: [id=40]"
]
}
这是有效的,但问题是%mdc正在改变位置,所以log有时就像:
2018-03-22 13:17:47 INFO SomeController [X-B3-SpanId = deef3c47193ec4a6, method = someMethod(),X-Span-Export = false X-B3-TraceId = 0cecd4b78e1d8357] - 参数:[id = 40]
正如您在这里看到的,首先是spanId ...所以过滤器正在混合值。 如何为这种情况制作正确的logstash配置....