自定义指标的Grok帮助

时间:2018-11-11 17:08:20

标签: logstash-grok

我有这样一条日志行:

09 Nov 2018 15:51:35 DEBUG  api.MapAnythingProvider - Calling API For Client: XXX Number of ELEMENTS Requested YYY

我要忽略所有其他日志行,而只希望其中包含单词“ 为客户端调用API ”的行。此外,我只对字符串XXX和数字YYY感兴趣。 感谢您的帮助。

1 个答案:

答案 0 :(得分:0)

input {
 file {
   path => ["C:/apache-tomcat-9.0.7/logs/service/service.log"]
   sincedb_path => "nul"
   start_position => "beginning"
  }
}
filter {
    grok {
    match => {
      "message" => "%{MONTHDAY:monthDay} %{MONTH:mon} %{YEAR:year} %{TIME:ts} %{WORD:severity}  %{JAVACLASS:claz} - %{GREEDYDATA:logmessage}"
      }
    }   

    grok {
    match => {
      "logmessage" => "%{WORD:keyword} %{WORD:customer} %{WORD:key2} %{NUMBER:mapAnythingCreditsConsumed:float} %{WORD:key3} %{NUMBER:elementsFromCache:int}"
      }
    }   

    if "_grokparsefailure" in [tags] {
    drop {}
    }

    mutate {
    remove_field => [ "monthDay", "mon", "ts", "severity", "claz", "keyword", "key2", "path", "message", "year", "key3" ]
    }
}
output {
        if [logmessage] =~ /ExecutingJobFor/  { 
        elasticsearch {
            hosts => ["localhost:9200"]
            index => "test"
            manage_template => false
        }
        stdout {
            codec => rubydebug
        }
        }
}
相关问题
最新问题