本篇文章主要介绍了"Logstash filter配置",主要涉及到方面的内容,对于系统运维感兴趣的同学可以参考一下:
Logstash filter配置
Json filter
Grok filter
KV filter
数据格式是JSON,那么可以通过它把数据解析成你想要的数...
Logstash filter配置
Json filter
Grok filter
KV filter
数据格式是JSON,那么可以通过它把数据解析成你想要的数据结构。
filter {
json {
add_field=> ... #hash(可选项),默认{ }
add_tag=> ... #array(可选项),默认[ ]
remove_field=> ... #array(可选项),默认[ ]
remove_tag=> ... #array(可选项),默认[ ]
source=> ... #string(必选项)
target=> ... #string(可选项)
}
}
input {
stdin { }
}
filter {
json {
source=>"message"
}
}
output {
stdout {codec=>rubydebug}
}
Grok filter
grok是目前logstash里最好的一种解析各种非结构化的日志数据的工具
官方patterns地址:
https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns
https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns
Nginx 日志:
55.3.244.1 GET /index.html 15824 0.043
匹配pattern:
%{IP:ip}%{WORD:method}%{URIPATHPARAM:request}%{NUMBER:bytes}%{NUMBER:duration}
input {
file {
path => "/var/log/nginx_access.log"
type => "nginx"
start_position => "beginning"
}
}
filter {
grok {
match => ["message", "%{IP:ip} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}"]
}
}
output {
stdout{codec=>rubydebug}
}
55.3.244.1 GET /index.html 15824 0.043 15BE7F4DF8
(?[0-9A-F]{10,11})
%{IP:ip}%{WORD:method}%{URIPATHPARAM:request}%{NUMBER:bytes}%{NUMBER:duration}%(?[0-9A-F]{10,11})
patterns_dir
input {
file {
path =>["/var/log/http.log" ]
type => “nginx"
start_position => "beginning"
}
}
filter {
grok {
patterns_dir=>"/your_path/patterns"
match =>{"message"=>"%{IP:ip} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}
%{POSTFIX_QUEUEID:id}"}
}
}
多匹配规则定义
match => [
"message", "%{DATESTAMP} %{POSINT:pid} %{LOGLEVEL:level} %{DATA:component} \[req\-%{DATA:requestid:string} %{DATA:userid:string} %{DATA:tenant:string} \- - -] %{GREEDYDATA:message}",
"message", "%{DATESTAMP} %{POSINT:pid} %{LOGLEVEL:level} %{DATA:component} \[-]\ %{IPV4:fromip} %{GREEDYDATA:message}",
"message", "%{DATESTAMP} %{POSINT:pid} %{LOGLEVEL:level} %{DATA:component} \[req\-%{DATA:requestid:string} %{DATA:userid:string} %{DATA:tenant:string} \- - -] %{IPV4:fromip} %{GREEDYDATA:message}",
"message", "%{DATESTAMP} %{POSINT:pid} %{LOGLEVEL:level} %{DATA:component} \[-]\ %{GREEDYDATA:message}",
"message", "%{DATESTAMP} %{POSINT:pid} %{LOGLEVEL:level} %{DATA:component} \[req\-%{GREEDYDATA:requestid:string}\- - - - -] %{GREEDYDATA:message}",
"message", "%{DATESTAMP} %{POSINT:pid} %{LOGLEVEL:level} %{DATA:component} %{GREEDYDATA:message}"
]
filter {
grok {
add_field =>... #hash,可选项,默认{}
add_tag =>... #array,可选项,默认[]
break_on_match =>... #boolean,可选项,默认true
keep_empty_captures =>... #boolean,可选项,默认false
match =>... #hash,可选项,默认{}
named_captures_only =>... #boolean,可选项,默认true
overwrite =>... #array,可选项,默认[]
patterns_dir =>... #array,可选项,默认[]
periodic_flush =>... #boolean,可选项,默认false
remove_field =>... #array,可选项,默认[]
remove_tag =>... #array,可选项,默认[]
tag_on_failure =>... #array,可选项,默认["_grokparsefailure"]
}
}
KV filter
解析处理key-value这种键值对数据
https://www.baidu.com/s?wd=奥巴马&rsv_spt=1&rsv_iqid=0x90dd7e610001f239&issp=1&f=3&rsv_bp=1&rsv_idx=2&ie=utf-8&tn=
baiduhome_pg&rsv_enter=0&oq=奥巴马&rsv_t=b39atb4WgjYrHvo4SnLlmez2VMymtEWBoQPRTiUrWZcluDRfAVZ5R%2F%2FFyzJ2KKaX
FMIv&rsv_pq=b374731e0000037a&prefixsug=奥巴马&rsp=0
input {
stdin { }
}
filter {
kv {
field_split => "&?"
}
}
output {
stdout {
codec => rubydebug
}
}
以上就介绍了Logstash filter配置,包括了方面的内容,希望对系统运维有兴趣的朋友有所帮助。
本文网址链接:http://www.codes51.com/article/detail_283890.html
