Grok过滤器 - 检查字段存在

时间:2018-05-16 11:17:43

标签: logstash-grok logstash-logback-encoder

我有一个具有这种结构的日志消息:

"message" => "{

"@timestamp":"201856T12:54:33.347+02:00",
"thread":"main",
"logger_name":"org.elasticsearch.bootstrap",
"level":"WARN",
"message":"JNA not found. native methods will be disabled.",
"stack_trace": "java.lang.ClassNotFoundException: ... 
}

如您所见,在消息内部有一个stack_trace字段,但是控件

if [message][stack_trace] {
    mutate { add_tag => ["EXCEPTION"] }
}

不起作用

如何检查“message”是否包含“stack_trace”字段?

其他信息: 消息是通过logstash-logback-encoder生成的,如下所示:

    <appender name="STASH" class="net.logstash.logback.appender.LogstashTcpSocketAppender">
            <destination>localhost:5000</destination>

        <encoder class="net.logstash.logback.encoder.LoggingEventCompositeJsonEncoder">
            <providers>
                <timestamp>
                    <timeZone>Europe/Berlin</timeZone>
                </timestamp>
                <callerData>
                    <classFieldName>classname</classFieldName>
                    <methodFieldName>method</methodFieldName>
                    <fileFieldName>file</fileFieldName>
                    <lineFieldName>line</lineFieldName>
                </callerData>
                <threadName>
                    <fieldName>thread</fieldName>
                </threadName>
                <loggerName />
                <logLevel />
                <message />
                <stackTrace />
            </providers>
        </encoder>
   </appender>

这是logstash输入管道的内容:

input {
    tcp {
        port => 5000
    }
}

filter {
    grok {
        match => { "message" => "LAT: %{NUMBER:LAT:float}, LON: %{NUMBER:LON:float}"}

        match => { "message" => "file %{WORD:TIPOFILE} elaborato" }

        match => { "message" => "Pubblicazione file %{WORD:PUB_FILENAME} sulla coda %{WORD:DEST_QUEUE} terminata" }
    }

    mutate {
        rename => { "TIPOFILE" => "[filename]" }
        rename => { "LAT" => "[location][latitude]" }
        rename => { "LON" => "[location][longitude]" }
        rename => { "DEST_QUEUE" => "[destQueue]" }
        rename => { "PUB_FILENAME" => "[nomeFilePubbl]" }
    }
}

output {
    stdout {
        codec => rubydebug
    }
    elasticsearch {
        hosts => "elasticsearch:9200"
    }
}

0 个答案:

没有答案