问答博客标签用户活动
logo极客观点logo项目管理logoHarmonyOS
javascript
php
java
vue.js
git
html5
python
node.js
android
mysql
react.js
linux
ios
css
golang
spring
docker
程序员
logoONES 研发管理logo思否企业问答logo安谋科技 XPU

LogStash 正则匹配

头像
mousycoder
    5.4k136183

    日志格式

    2015-09-28·09:50:48·[http-bio-80-exec-13]·DEBUG·com.weitoo.server.aspect.LogAspect·-{ip:183.16.4.40,url:http://api.xx.com/server/sc/commodity/getOnlineCommodity,param:{"shopId":1000001,"needCategory":false,"needCommodityTotal":false,"searchCommodityId":1002001},return:{"status":1},cost:3.911ms}

    通过https://grokdebug.herokuapp.com/

    匹配出:

    time: 2015-09-28·09:50:48
level: DEBUG
class:com.weitoo.server.aspect.LogAspect
ip:183.16.4.40
path:http://api.xx.com/server/sc/commodity/getOnlineCommodity
param:{"shopId":1000001,"needCategory":false,"needCommodityTotal":false,"searchCommodityId":1002001}
return:{"status":1}
cost:3.911

    本人也尝试研究了tomcat_log 的demo
    https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/java
    (没匹配出message)

    以及自动生成grok表达式的网站
    http://grokconstructor.appspot.com/ (有点小bug)

    官网说明也看了

    https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html
    (只举了简单的正则)

    均以失败告终,研究了好久了,望大侠指教啊~~

    日志分析
    阅读 21.8k
    1 个回答
    得票最新
    头像
    mousycoder
      5.4k136183

      已经解决

      SERVER_LOG %{DATA:year}-%{DATA:month}-%{DATA:day}\ %{DATA:hour}\:%{DATA:min}\:%{DATA:sec}\ %{DATA:level}\ %{DATA:class} -{ip:%{DATA:ip},url:%{DATA:url},param:%{DATA:param},return:%{DATA:return},cost:%{BASE10NUM:cost}

      conf

      input {
  file {
   type=>"xx_server_log"
   path=>"/opt/software/apache-tomcat-7.0.59/logs/catalina.out"
   codec=> multiline {
           pattern => "(^.+Exception:.+)|(^\s+at .+)|(^\s+... \d+ more)|(^\s*Caused by:.+)"
           what=> "previous"
    }

 }
}



filter {
        if [type] == "xx_server_log" {
           grok {
                 match => [ "message","%{SERVER_LOG}"]
                 patterns_dir => ["/opt/conf/logstash"]
                 remove_field => ["message"]
          }
        }
}


output {
   elasticsearch {
  host =>"xx-management"
  protocol =>"http"
  workers => 5
  template_overwrite => true

}
   stdout { codec=> rubydebug }
}
      撰写回答
      你尚未登录,登录后可以
      • 和开发者交流问题的细节
      • 关注并接收问题和回答的更新提醒
      • 参与内容的编辑和改进,让解决方法与时俱进
      推荐问题
      宣传栏