博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
logstash + grok 正则语法
阅读量:6416 次
发布时间:2019-06-23

本文共 5020 字,大约阅读时间需要 16 分钟。

详细正则规则参考:

例:

日志格式如下

[vclound][2015-11-03 03:35:50,283][INFO][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203][_new_conn][-][140192616544000]=[Starting new HTTP connection (1): 240.10.129.80][vclound][2015-11-03 03:35:50,381][DEBUG][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295][_make_request][-][140192616544000]=["POST /v2.0/tokens HTTP/1.1" 200 3080][vclound][2015-11-03 03:35:50,384][INFO][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203][_new_conn][-][140192616544000]=[Starting new HTTP connection (1): 240.10.129.160][vclound][2015-11-03 03:35:50,454][DEBUG][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295][_make_request][-][140192616544000]=["GET /v2/bb0b51d166254dc99bc7462c0ac002ff/servers/b4b530e7-cd9b-42c1-bcd4-a48140726846 HTTP/1.1" 404 73]

logstash 正则规则参考   (下面代码, 编辑器无法显示,  请点击 view plain 进行阅读)

filter {  if [type] == "pinyun" {    grok {      match => { "message" => "\[%{USERNAME:username}\]\[%{TIMESTAMP_ISO8601:time}\]\[%{LOGLEVEL:loglevel}\]\[%{PROG:filepath}\]\[%{PROG:function}\]\[-\]\[%{BASE16NUM:progid}\]\=\[%{GREEDYDATA:info}\]" }      add_field => [ "received_at", "%{@timestamp}" ]      add_field => [ "received_from", "%{host}" ]    }  }}

注意:  当日志输出有空格,  那么匹配时候就带空格,  如果是特殊字符, 那么就直接匹配该特殊字符

输出效果如下:

{          "message" => "[vclound][2015-11-03 03:35:50,283][INFO][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203][_new_conn][-][140192616544000]=[Starting new HTTP connection (1): 240.10.129.80]",         "@version" => "1",       "@timestamp" => "2015-11-03T02:01:30.051Z",             "type" => "pinyun",             "file" => "/apps/logs/uwsgi/uwsgi.log",             "host" => "terry-zskvt.vclound.com",           "offset" => "58995",         "username" => "vclound",             "time" => "2015-11-03 03:35:50,283",         "loglevel" => "INFO",         "filepath" => "/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203",         "function" => "_new_conn",           "progid" => "140192616544000",             "info" => "Starting new HTTP connection (1): 240.10.129.80",      "received_at" => "2015-11-03T02:01:30.051Z",    "received_from" => "terry-zskvt.vclound.com"}{          "message" => "[vclound][2015-11-03 03:35:50,381][DEBUG][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295][_make_request][-][140192616544000]=[\"POST /v2.0/tokens HTTP/1.1\" 200 3080]",         "@version" => "1",       "@timestamp" => "2015-11-03T02:01:30.060Z",             "type" => "pinyun",             "file" => "/apps/logs/uwsgi/uwsgi.log",             "host" => "terry-zskvt.vclound.com",           "offset" => "59181",         "username" => "vclound",             "time" => "2015-11-03 03:35:50,381",         "loglevel" => "DEBUG",         "filepath" => "/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295",         "function" => "_make_request",           "progid" => "140192616544000",             "info" => "\"POST /v2.0/tokens HTTP/1.1\" 200 3080",      "received_at" => "2015-11-03T02:01:30.060Z",    "received_from" => "terry-zskvt.vclound.com"}{          "message" => "[vclound][2015-11-03 03:35:50,384][INFO][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203][_new_conn][-][140192616544000]=[Starting new HTTP connection (1): 240.10.129.160]",         "@version" => "1",       "@timestamp" => "2015-11-03T02:01:30.068Z",             "type" => "pinyun",             "file" => "/apps/logs/uwsgi/uwsgi.log",             "host" => "terry-zskvt.vclound.com",           "offset" => "59362",         "username" => "vclound",             "time" => "2015-11-03 03:35:50,384",         "loglevel" => "INFO",         "filepath" => "/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203",         "function" => "_new_conn",           "progid" => "140192616544000",             "info" => "Starting new HTTP connection (1): 240.10.129.160",      "received_at" => "2015-11-03T02:01:30.068Z",    "received_from" => "terry-zskvt.vclound.com"}{          "message" => "[vclound][2015-11-03 03:35:50,454][DEBUG][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295][_make_request][-][140192616544000]=[\"GET /v2/bb0b51d166254dc99bc7462c0ac002ff/servers/b4b530e7-cd9b-42c1-bcd4-a48140726846 HTTP/1.1\" 404 73]",         "@version" => "1",       "@timestamp" => "2015-11-03T02:01:30.074Z",             "type" => "pinyun",             "file" => "/apps/logs/uwsgi/uwsgi.log",             "host" => "terry-zskvt.vclound.com",           "offset" => "59549",         "username" => "vclound",             "time" => "2015-11-03 03:35:50,454",         "loglevel" => "DEBUG",         "filepath" => "/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295",         "function" => "_make_request",           "progid" => "140192616544000",             "info" => "\"GET /v2/bb0b51d166254dc99bc7462c0ac002ff/servers/b4b530e7-cd9b-42c1-bcd4-a48140726846 HTTP/1.1\" 404 73",      "received_at" => "2015-11-03T02:01:30.074Z",    "received_from" => "terry-zskvt.vclound.com"}





转载地址:http://iovra.baihongyu.com/

你可能感兴趣的文章
“Metro”,移动设备视觉语言的新新人类
查看>>
PHP源代码下载(本代码供初学者使用)
查看>>
Disruptor-NET和内存栅栏
查看>>
Windows平台ipod touch/iphone等共享笔记本无线上网设置大全
查看>>
播放加密DVD
查看>>
产品设计体会(3013)项目的“敏捷沟通”实践
查看>>
RHEL6.3基本网络配置(1)ifconfig命令
查看>>
网络诊断工具之—路由追踪tracert命令
查看>>
Java模拟HTTP的Get和Post请求(增强)
查看>>
php 环境搭建(windows php+apache)
查看>>
让虚拟机的软盘盘符不显示(适用于所有windows系统包括Windows Server)
查看>>
Cygwin不好用
查看>>
jQuery插件之验证控件jquery.validate.js
查看>>
[经验]无线鼠标和无线键盘真的不能用了?——雷柏的重生之路~
查看>>
【转】plist涉及到沙盒的一个问题
查看>>
GNU make manual 翻译( 一百四十五)
查看>>
重构之美-走在Web标准化设计的路上[复杂表单]3 9 Update
查看>>
linux中的优先搜索树的实现--prio_tree【转】
查看>>
重构之美-跨越Web标准,触碰语义网[开门见山:Microformat]
查看>>
git入门与实践【转】
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2025-01-15 18:31:23   当前IP: 3.143.3.114   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我