我是logstash的新手,有人可以帮助我使用grok过滤器来解析同一日志中多个换行符的数据
2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0-8443-exec-424] INFO Rq:144839 ControllerInterceptor-afterCompletion( ) 网址:GET :: / system / data / connect / service 回应:200 耗时:10毫秒
答案 0 :(得分:0)
http://grokdebug.herokuapp.com/
[第一个输入框] 输入
2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0-8443-exec-424] INFO Rq:144839 ControllerInterceptor - afterCompletion()
response: 200
elapsed: 10 ms
[第二个输入框] Grok Parse ==> %{UPTONEWLINE:Part1}%{UPTONEWLINE:Part2}
选中添加自定义模式并添加以下行 UPTONEWLINE(?:(。+?)(\ n))
输出
{
"Part1": [
[
"2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0-8443-exec-424] INFO Rq:144839 ControllerInterceptor - afterCompletion()\n"
]
],
"Part2": [
[
"response: 200\n"
]
]
}
输入
2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0-8443-exec-424] INFO Rq:144839 ControllerInterceptor - afterCompletion()\nresponse: 200\nelapsed: 10 ms
Logstash配置文件
input {
http {
port => 5043
response_headers => {
"Access-Control-Allow-Origin" => "*"
"Content-Type" => "text/plain"
"Access-Control-Allow-Headers" => "Origin, X-Requested-With, Content-Type,
Accept"
}
}
}
filter {
mutate {
split => ['message','\n']
add_field => {
"Part1" => "%{[message][0]}"
"Part2" => "%{[message][1]}"
"Part3" => "%{[message][2]}"
}
}
}
output {
stdout {
codec => rubydebug
}
}
输出
{
"host"=>"0:0:0:0:0:0:0:1",
"@version"=>"1",
"message"=>[
[0]"2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0-8443-exe c-424] INFO Rq:144839 ControllerInterceptor - afterCompletion()",
[1]"response: 200",
[2]"elapsed: 10 ms"
],
"Part1"=>"2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0-8443-exec-424] INFO Rq:144839 ControllerInterceptor - afterCompletion()",
"Part2"=>"response: 200",
"Part3"=>"elapsed: 10 ms",
"@timestamp"=>2018-10-09T05: 27: 41.695Z
}