我正在使用最新版本的logstash / elasticsearch / kibana(7.4),并且存在以下问题:
有时“ log_message”字段没有建立索引(或者您称呼它)。
这是我的配置:
input {
file {
id => "live2_symfony"
path => ["/home/logs/prod.log"]
}
}
filter {
grok {
match => { "message" => "\[(?<timestamp>[0-9]{4}\-[0-9]{2}\-[0-9]{2} [0-9]{2}\:[0-9]{2}\:[0-9]{2})\] (?<level>[a-zA-Z\.]+): %{GREEDYDATA:log_message}" }
}
date {
timezone => "Europe/Berlin"
match => [ "timestamp", "YYYY-MM-dd HH:mm:ss", "ISO8601"]
}
}
output {
elasticsearch {
hosts => [ "localhost:9200" ]
index => "logstash-symfony-%{+YYYY.MM.dd}"
}
}
它很好用-对于“ app.DEBUG”,“ app.ERROR”之类的日志类型(在本例中为“ level”)-但对于“ request.CRITICAL”则无效
在Canvas上,我无法在Elasticsearch SQL中对“ log_message”进行分组-数据表的“ log_message.keyword”字段为空-热门视频图表。
数据本身就在那里。我可以制作SELECT log_message FROM "index-*" WHERE level = 'app.CRITICAL'并得到消息-但不能像SELECT COUNT(*) AS count, log_message FROM "index-*" GROUP BY log_message ORDER BY count DESC那样按GROUP BY它来工作,它可以用于其他级别。
那里的log_message为NULL。
这里有2个条目,级别为log_message:
app.ERROR Could not render text: Unable to write in the cache directory (/var/www/html/var/cache/prod/twig/1d). [] []
在分组等方面效果很好。
但不是:
request.CRITICAL Uncaught PHP Exception Twig\Error\RuntimeError: "An exception has been thrown during the rendering of a template ("Unable to create the cache directory (/var/www/html/var/cache/prod/twig/33).")." at /var/www/html/templates/mails/registration/email.html.twig line 12 {"exception":"[object] (Twig\\Error\\RuntimeError(code: 0): An exception has been thrown during the rendering of a template (\"Unable to create the cache directory (/var/www/html/var/cache/prod/twig/33).\"). at /var/www/html/templates/mails/registration/email.html.twig:12, RuntimeException(code: 0): Unable to create the cache directory (/var/www/html/var/cache/prod/twig/33). at /var/www/html/vendor/twig/twig/src/Cache/FilesystemCache.php:57)"} []
是log_message的长度吗?还是我需要逃脱的任何字符?