0

我用正则表达式编写了一个 grokfilter,在 Grok 调试器中,配置工作没有错误,但是当我想在 logstash.conf 中匹配时,结果总是“grokparsefailure”

我要匹配的消息是: 10.196.3.3 - - [01/Aug/2014:00:00:16 +0200] "GET / HTTP/1.1" 200 1507 "-" "-"

我在 grok 调试器中的过滤器是:

(?<clientIP>[^ ]*)[^\[]*\[(?<timestamp>.{26})] "(?<httpRequest>[^"]*)" (?<httpStatusCode>\d{3}) (?<bytesSent>[^ ]*) "(?<Referer>[^"]*)" "(?<userAgent>[^"]*)"

完整的conf是:

input {

file {
type => 'jboss_log'
path => '/home/christian/Downloads/access-logs-2014-08/vlpr133-2014-08/jBoss_http_access*.log'
start_position => 'beginning'
}
}

filter {
        if [type] == 'jboss_log' {
        grok {
match => [' message', '(?<clientIP>[^ ]*)[^\[]*\[(?<timestamp>.{26})] "(?<httpRequest>[^"]*)" (?<httpStatusCode>\d{3}) (?<bytesSent>[^ ]*) "(?<Referer>[^"]*)" "(?<userAgent>[^"]*)"']

#tag_on_failure => [ ]

}}}

output {
stdout{codec => json }
elasticsearch {cluster => 'elasticsearch' }
}

所以也许有人可以帮助我吗?

4

1 回答 1

0

ups解决方案是'消息'之前有一个空格:D

于 2014-11-10T14:42:07.593 回答