如何解析自定义日志

时间:2018-10-08 09:06:15

标签: logstash logstash-grok

我是logstash的新手,有人可以帮助我使用grok过滤器来解析同一日志中多个换行符的数据

2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0-8443-exec-424] INFO Rq:144839 ControllerInterceptor-afterCompletion( ) 网址:GET :: / system / data / connect / service 回应:200 耗时:10毫秒

1 个答案:

答案 0 :(得分:0)

  • 1。使用Grok

http://grokdebug.herokuapp.com/

[第一个输入框] 输入

2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0-8443-exec-424] INFO Rq:144839 ControllerInterceptor - afterCompletion()
response: 200
elapsed: 10 ms

[第二个输入框] Grok Parse ==> %{UPTONEWLINE:Part1}%{UPTONEWLINE:Part2}

选中添加自定义模式并添加以下行 UPTONEWLINE(?:(。+?)(\ n))

输出

{
  "Part1": [
    [
      "2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0-8443-exec-424] INFO Rq:144839 ControllerInterceptor - afterCompletion()\n"
    ]
  ],
  "Part2": [
    [
      "response: 200\n"
    ]
  ]
}
  • 2。不使用Grok过滤器-Logstash配置文件

输入

2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0-8443-exec-424] INFO Rq:144839 ControllerInterceptor - afterCompletion()\nresponse: 200\nelapsed: 10 ms

Logstash配置文件

input {
  http {
    port => 5043
    response_headers => {
        "Access-Control-Allow-Origin" => "*"
        "Content-Type" => "text/plain"
        "Access-Control-Allow-Headers" => "Origin, X-Requested-With, Content-Type, 
        Accept"
    }   
    }
}

filter {
    mutate {           
            split => ['message','\n']
            add_field => {
                 "Part1" => "%{[message][0]}"
                 "Part2" => "%{[message][1]}"
                 "Part3" => "%{[message][2]}"
            }
         }
}

output {
  stdout  { 
        codec => rubydebug
    }
}

输出

{
  "host"=>"0:0:0:0:0:0:0:1",
  "@version"=>"1",
  "message"=>[
    [0]"2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0-8443-exe c-424] INFO Rq:144839 ControllerInterceptor - afterCompletion()",
    [1]"response: 200",
    [2]"elapsed: 10 ms"
  ],
  "Part1"=>"2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0-8443-exec-424] INFO Rq:144839 ControllerInterceptor - afterCompletion()",
  "Part2"=>"response: 200",
  "Part3"=>"elapsed: 10 ms",
  "@timestamp"=>2018-10-09T05: 27: 41.695Z
}