博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
logstash + grok 正则语法
阅读量:4079 次
发布时间:2019-05-25

本文共 5019 字,大约阅读时间需要 16 分钟。

详细正则规则参考:

正则语法规则

例:

日志格式如下

[vclound][2015-11-03 03:35:50,283][INFO][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203][_new_conn][-][140192616544000]=[Starting new HTTP connection (1): 240.10.129.80][vclound][2015-11-03 03:35:50,381][DEBUG][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295][_make_request][-][140192616544000]=["POST /v2.0/tokens HTTP/1.1" 200 3080][vclound][2015-11-03 03:35:50,384][INFO][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203][_new_conn][-][140192616544000]=[Starting new HTTP connection (1): 240.10.129.160][vclound][2015-11-03 03:35:50,454][DEBUG][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295][_make_request][-][140192616544000]=["GET /v2/bb0b51d166254dc99bc7462c0ac002ff/servers/b4b530e7-cd9b-42c1-bcd4-a48140726846 HTTP/1.1" 404 73]

logstash 正则规则参考

(下面代码, 编辑器无法显示, 请点击 view plain 进行阅读)

filter {  if [type] == "pinyun" {    grok {      match => { "message" => "\[%{USERNAME:username}\]\[%{TIMESTAMP_ISO8601:time}\]\[%{LOGLEVEL:loglevel}\]\[%{PROG:filepath}\]\[%{PROG:function}\]\[-\]\[%{BASE16NUM:progid}\]\=\[%{GREEDYDATA:info}\]" }      add_field => [ "received_at", "%{@timestamp}" ]      add_field => [ "received_from", "%{host}" ]    }  }}

注意: 当日志输出有空格, 那么匹配时候就带空格, 如果是特殊字符, 那么就直接匹配该特殊字符

输出效果

如下:

{          "message" => "[vclound][2015-11-03 03:35:50,283][INFO][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203][_new_conn][-][140192616544000]=[Starting new HTTP connection (1): 240.10.129.80]",         "@version" => "1",       "@timestamp" => "2015-11-03T02:01:30.051Z",             "type" => "pinyun",             "file" => "/apps/logs/uwsgi/uwsgi.log",             "host" => "terry-zskvt.vclound.com",           "offset" => "58995",         "username" => "vclound",             "time" => "2015-11-03 03:35:50,283",         "loglevel" => "INFO",         "filepath" => "/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203",         "function" => "_new_conn",           "progid" => "140192616544000",             "info" => "Starting new HTTP connection (1): 240.10.129.80",      "received_at" => "2015-11-03T02:01:30.051Z",    "received_from" => "terry-zskvt.vclound.com"}{          "message" => "[vclound][2015-11-03 03:35:50,381][DEBUG][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295][_make_request][-][140192616544000]=[\"POST /v2.0/tokens HTTP/1.1\" 200 3080]",         "@version" => "1",       "@timestamp" => "2015-11-03T02:01:30.060Z",             "type" => "pinyun",             "file" => "/apps/logs/uwsgi/uwsgi.log",             "host" => "terry-zskvt.vclound.com",           "offset" => "59181",         "username" => "vclound",             "time" => "2015-11-03 03:35:50,381",         "loglevel" => "DEBUG",         "filepath" => "/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295",         "function" => "_make_request",           "progid" => "140192616544000",             "info" => "\"POST /v2.0/tokens HTTP/1.1\" 200 3080",      "received_at" => "2015-11-03T02:01:30.060Z",    "received_from" => "terry-zskvt.vclound.com"}{          "message" => "[vclound][2015-11-03 03:35:50,384][INFO][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203][_new_conn][-][140192616544000]=[Starting new HTTP connection (1): 240.10.129.160]",         "@version" => "1",       "@timestamp" => "2015-11-03T02:01:30.068Z",             "type" => "pinyun",             "file" => "/apps/logs/uwsgi/uwsgi.log",             "host" => "terry-zskvt.vclound.com",           "offset" => "59362",         "username" => "vclound",             "time" => "2015-11-03 03:35:50,384",         "loglevel" => "INFO",         "filepath" => "/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203",         "function" => "_new_conn",           "progid" => "140192616544000",             "info" => "Starting new HTTP connection (1): 240.10.129.160",      "received_at" => "2015-11-03T02:01:30.068Z",    "received_from" => "terry-zskvt.vclound.com"}{          "message" => "[vclound][2015-11-03 03:35:50,454][DEBUG][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295][_make_request][-][140192616544000]=[\"GET /v2/bb0b51d166254dc99bc7462c0ac002ff/servers/b4b530e7-cd9b-42c1-bcd4-a48140726846 HTTP/1.1\" 404 73]",         "@version" => "1",       "@timestamp" => "2015-11-03T02:01:30.074Z",             "type" => "pinyun",             "file" => "/apps/logs/uwsgi/uwsgi.log",             "host" => "terry-zskvt.vclound.com",           "offset" => "59549",         "username" => "vclound",             "time" => "2015-11-03 03:35:50,454",         "loglevel" => "DEBUG",         "filepath" => "/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295",         "function" => "_make_request",           "progid" => "140192616544000",             "info" => "\"GET /v2/bb0b51d166254dc99bc7462c0ac002ff/servers/b4b530e7-cd9b-42c1-bcd4-a48140726846 HTTP/1.1\" 404 73",      "received_at" => "2015-11-03T02:01:30.074Z",    "received_from" => "terry-zskvt.vclound.com"}

转载地址:http://gmnni.baihongyu.com/

你可能感兴趣的文章
木桨震动小
查看>>
关于桨叶越大,拉力越大,效率越高
查看>>
原来容器比如vector的本质是一个类模板
查看>>
opencv使用了很多标准模板库(STL)
查看>>
嵌入式软件工程师真的串口的开发是必备的技能
查看>>
ROS串口编程学习笔记
查看>>
我的无人机运输箱
查看>>
树莓派进行镜像备份(我亲自操作的)
查看>>
树莓派系统镜像备份,多种方法归纳总结
查看>>
快速搭建一个APMT265树莓派无人机
查看>>
你后期能不能做一下激光雷达融合双目的位置信息进行定位
查看>>
发现一批北航的
查看>>
github gitlab 用IDE很方便
查看>>
DMA
查看>>
有限状态机编程是裸机编程效率最高的编程模式
查看>>
IIC
查看>>
同样是MPU6050 同样是IIC,我现在看和五年前看不是一个层面了
查看>>
我发觉不管是单片机,还是串口通信,还是传感器,最后根本都是配置寄存器。
查看>>
一个字节八位,左边是高位,右边是低位。
查看>>
SPI
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2024-09-20 07:13:21   当前IP: 18.220.233.82   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我