极客观点
项目管理
HarmonyOS
试过各种方法,最终存储到es,发现在grok定义的变量%{}无法在后面获取,最终es索引中只有一个message,没有clientip、ident、auth之类变量,但是网上看到别人的都可以存储
input {
file {
path => "/var/tomcat8/logs/vg_access_log*.txt"
sincedb_path => "/usr/local/logstash/etc/sincedb_tomcat_log.txt"
type => "tomcat_log"
add_field => {"tomcatip" => "xxx"}
}
}
filter{
if [type] == "tomcat_log" {
grok{
match => { "message" => "%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{URIPATHPARAM:request}(?: HTTP/%{NUMBER:httpversion})?|-)\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{NUMBER:responsetime} \"(?:%{URI:referrer}|-)\" %{QS:agent} "
}
}
kv {
source => "request"
field_split => "&?"
value_split => "="
}
date{
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
target => ["writetime"]
}
mutate {
convert => {
"response" => "integer"
"bytes" => "integer"
"responsetime" => "integer"
}
}
}
}
output {
if [type] == "tomcat_log" {
elasticsearch {
hosts => ["xxx:9200"]
index => "tomcat-log-%{+YYYY.MM.dd}"
}
}
}
java
自问自答吧,因为是刚接触elk,不知道错误在哪里,方向一直是错的,最后才发现错误提示在es的tags[_grokparsefailure],是grok正则匹配的问题