logstash配置filter参数不够
来源:12-3 Logstash应用_Nginx日志拆解入库
靈寶
2018-01-21
在配置filter后参数和老师的rubydebug参数数量不一样。
配置filter:
filter{
if [type == "nginx_access"] {
grok {
patterns_dir =>"/usr/local/elk/logstash-5.6.4/config/patterns"
match =>{
"message" => "%{NGINXACCESS}"
}
}
date{
match => ["timestamp","dd/MMM/YYYY:HH:mm:ss Z"]
}
}
}配置之后:
{
"path" => "/usr/local/Cellar/nginx/1.12.2_1/logs/access.log",
"@timestamp" => 2018-01-21T06:35:19.304Z,
"@version" => "1",
"host" => "fulingdeMacBook-Pro.local",
"message" => "127.0.0.1 - - [21/Jan/2018:14:35:18 +0800] \"GET /search?word=%27a%27 HTTP/1.1\" 200 2 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36\" \"-\"",
"type" => "nginx_access",
"tags" => [
[0] "_grokparsefailure"
]
}最后附上我的patterns/nginx文件:
NGINXACCESS %{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{URIPATH:uri}%{URIPARAM:param}(?:HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} {?:%{NUMBER:bytes}|-} %{QS:referrer} %{QS:agent} %{QS:x_forwarded_for}写回答
1回答
-
靈寶
提问者
2018-01-21
已处理。后来百度后,说是某些参数的一丁点错误,都会出现`_grokparsefailure`。细心对比,发现bytes那里写错了。。。。注意空格,注意符号!!!!
现在为后面的读者提供一份patterns/nginx,可以自取:
```
NGINXACCESS %{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{URIPATH:uri}%{URIPARAM:param}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} %{QS:x_forwarded_for}
```
112018-01-21
相似问题