我有两种来自一个来源的日志消息。我正在尝试使用如下配置解析它们:
filter {
if [type] == "my_type" {
grok {
match => [ "message", "field1:" ]
break_on_match => false
add_tag => "field1_message"
}
}
if [type] == "my_type" {
grok {
match => [ "message", "field2:" ]
break_on_match => false
add_tag => "field2_message"
}
}
}
Field1 和 Field2 对于每种类型都是唯一的。我的正则表达式和模式是正确的。当我运行这个过滤器时,只有过滤器的第一部分是匹配的,从第二部分开始我只收到 _grokparsefailure。你能帮我解决这个问题吗?
I don't know what is your full config. For me, I have tested with your requirement, it's worked at me. Below is my config:
input {
file {
type => "A"
path => "/path/to/file/A/server.log.1"
}
file {
type => "B"
path => "/path/to/file/B/server.log.2"
}
}
filter{
if [type] == "A" {
grok {
match => [ "message", "field1: %{WORD:field1}" ]
break_on_match => false
add_tag => "field1_message"
}
}
if [type] == "B" {
grok {
match => [ "message", "field2: %{WORD:field2}" ]
break_on_match => false
add_tag => "field2_message"
}
}
}
output {
stdout {
codec => "rubydebug"
}
}
This is the input for server.log.1
field1: hello
And the corresponding output is
{
"message" => "field1: hello",
"@version" => "1",
"@timestamp" => "2014-10-17T03:18:34.421Z",
"type" => "A",
"host" => "ABC",
"path" => "/path/to/file/A/server.log.1",
"field1" => "hello",
"tags" => [
[0] "field1_message"
]
}
The second input for server.log.2
field2: world
And the output is
{
"message" => "field2: world",
"@version" => "1",
"@timestamp" => "2014-10-17T03:18:33.451Z",
"type" => "B",
"host" => "ABC",
"path" => "/path/to/file/B/server.log.2",
"field2" => "world",
"tags" => [
[0] "field2_message"
]
}
Hope this can help you, I am using logstash version 1.4.1.