grok解析失败-正在筛选错误日志

szqfcxe2  于 2021-06-14  发布在  ElasticSearch
关注(0)|答案(1)|浏览(424)

嗨,我得到以下错误:

"tags" => [
    [0] "beats_input_codec_plain_applied",
    [1] "_grokparsefailure"
]

我的logstash-sample.conf如下

input {
beats {
    port => "5044"
}
}

filter {
    grok {
         match => ["message","HTTPD20_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\] )$
    }
}

output {
    stdout { codec => rubydebug }
}

有人能帮我一下吗?我在这里干什么?也在模式中{loglevel:loglevel}](?:[客户%{iporhost:clientip}我需要指定loglevel和clientip吗?
我的日志示例:

2020-10-09 14:24:33,489 [Thread1] INFO  ReceiverLogging- Connecting 
2020-10-09 14:24:34,166 [Thread1] INFO  ReceiverLogging- Connected...
2020-10-09 14:24:34,166 [Thread1] INFO  ReceiverLogging- Getting folder...
2020-10-09 14:24:34,167 [Thread1] INFO  ReceiverLogging- Got folder
2020-10-09 14:24:34,167 [Thread1] INFO  ReceiverLogging- Opening folder
2020-10-09 14:24:34,237 [Thread1] INFO  ReceiverLogging- getting folder 
2020-10-09 14:24:34,247 [Thread-6] ERROR CheckLog Error While Connecting to Websocket
javax.websocket.DeploymentException: The HTTP request to initiate the WebSocket connection failed
        at org.apache.tomcat.websocket.WsWebSocketContainer.connectToServer(WsWebSocketContainer.java:392)
        at org.apache.tomcat.websocket.WsWebSocketContainer.connectToServer(WsWebSocketContainer.java:150)
        at global.services.WebSocketClient.<init>(WebSocketClient.java:33)
        at global.services.WebSocketClient.getInstance(WebSocketClient.java:51)
        at global.services.SchedulerThread.run(SchedulerThread.java:63)
Caused by: java.util.concurrent.TimeoutException
        at sun.nio.ch.PendingFuture.get(PendingFuture.java:197)
        at org.apache.tomcat.websocket.WsWebSocketContainer.processResponse(WsWebSocketContainer.java:674)
        at org.apache.tomcat.websocket.WsWebSocketContainer.connectToServer(WsWebSocketContainer.java:340)
        ... 4 more
2020-10-09 14:24:34,248 [Thread-6] ERROR Exception- Error While Connecting to Websocket

请帮忙

elasticsearchlogstashelklogstash-configurationlogstash-grok

1条答案

按热度按时间
ruarlubt

ruarlubt1#

首先,我建议大家学习一下grok的一些基本知识以及它是如何工作的。在答案末尾添加一些有用的资源。
日志中的当前模式类似于timestamp classname loglevel logmessage
对于下面问题中的日志示例,它是一个示例管道,但不确定是否需要多行来捕获堆栈跟踪。在这种情况下,可以扩展以下内容。

filter {
   grok{
     match =>  { "message" => "%{TIMESTAMP_ISO8601:timeStamp}%{SPACE}\[%{DATA:className}\]%{SPACE}%{LOGLEVEL:logLevel}%{SPACE}%{GREEDYDATA:message}"} 
     overwrite => [ "message" ]
   }
   date {
      match => ["timeStamp","yyyy-MM-dd HH:mm:ss,SSS"]
      timezone => "Europe/London"
      target => "@timestamp"
      remove_field => ["timeStamp"]
    }

}

输出事件如下所示

{
      "logLevel" => "INFO",
      "@version" => "1",
          "path" => "/usr/share/logstash/stack/data/data.log",
     "className" => "Classname",
          "host" => "95b3783b146a",
    "@timestamp" => 2020-10-09T13:24:35.004Z,
       "message" => "LOGG- Sending message : Test"
}
{
      "logLevel" => "ERROR",
      "@version" => "1",
          "path" => "/usr/share/logstash/stack/data/data.log",
     "className" => "Classname",
          "host" => "95b3783b146a",
    "@timestamp" => 2020-10-09T13:24:35.004Z,
       "message" => "InternetApp- in details."
}

初学者指南
grok调试器
基本格洛克模式

赞(0)分享  回复(0)举报  2021-06-15
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com