在Logstash中使用grok过滤器时跟踪反斜杠问题
应该使用“ repo”值分别将消息解析为“ test”和“ test-group”,但是第三条消息具有grok解析错误,因为它缺少反斜杠,而grok过滤器无法解析“ resource_path”它。我想跳过将API解析为存储库的原因,这就是我必须实现正则表达式才能实现的原因。
我想知道是否有任何解决方法,以便不以反斜杠结尾的消息仍能被解析并且不会引发错误。
Test messages used:
20190815175019|9599|REQUEST|14.56.55.120|anonymous|POST|/api/test/Lighter-test-group|HTTP/1.1|200|452
20190815175019|9599|REQUEST|14.56.55.120|anonymous|POST|/api/test-group/|HTTP/1.1|200|452
20190815175019|9599|REQUEST|14.56.55.120|anonymous|POST|/api/test-group|HTTP/1.1|200|452
Grok过滤器:
filter {
grok {
break_on_match => false
match => { "message" => "%{DATA:timestamp_local}\|%{NUMBER:duration}\|%{WORD:requesttype}\|%{IP:clientip}\|%{DATA:username}\|%{WORD:method}\|%{DATA:resource}\|%{DATA:protocol}\|%{NUMBER:statuscode}\|%{NUMBER:bytes}" }
}
grok {
break_on_match => false
match => { "resource" => "^(\/)+[^\/]+/%{DATA:repo}/%{GREEDYDATA:resource_path}" }
}
}
预期结果:
{
"@timestamp" => 2019-08-20T19:09:48.008Z,
"path" => "/Users/hack/test-status.log",
"timestamp_local" => "20190815175019",
"username" => "anonymous",
"method" => "POST",
"repo" => "test-group",
"bytes" => "452",
"requesttype" => "REQUEST",
"protocol" => "HTTP/1.1",
"duration" => "9599",
"clientip" => "14.56.55.120",
"resource" => "/api/test-group/",
"statuscode" => "200",
"message" => "20190815175019|9599|REQUEST|14.56.55.120|anonymous|POST|/api/test-group/|HTTP/1.1|200|452",
"host" => "empty",
"@version" => "1"
}
actual output:
{
"@timestamp" => 2019-08-20T19:09:48.009Z,
"path" => "/Users//hack/test-status.log",
"timestamp_local" => "20190815175019",
"username" => "anonymous",
"method" => "POST",
"bytes" => "452",
"requesttype" => "REQUEST",
"protocol" => "HTTP/1.1",
"duration" => "9599",
"clientip" => "14.56.55.120",
"resource" => "/api/test-group",
"statuscode" => "200",
"message" => "20190815175019|9599|REQUEST|14.56.55.120|anonymous|POST|/api/test-group|HTTP/1.1|200|452",
"host" => "empty",
"@version" => "1",
"tags" => [
[0] "_grokparsefailure"
]
}