使用 grok logstash 解析时为空字段插入虚拟值
Inserting a dummy value for empty field while parsing using grok logstash
我正在尝试解析日志并使用 logstash 将其放入弹性搜索中。
我的日志文件格式如下
[18-Aug-2016 02:28:46,537][ERROR][thread1][package.name] there is error in line 52
\[%{GREEDYDATA:date} %{GREEDYDATA:time}\]\[%{LOGLEVEL:log_type}\]\[%{GREEDYDATA:thread_name}\]\[%{GREEDYDATA:package}\](%{GREEDYDATA:log_msg})?
当我 运行 这个 grok 过滤器时,我得到了正确的输出。但是,有些情况下我得到的输入没有最后一个字段 (log_msg)。像这样:
[18-Aug-2016 02:28:46,537][ERROR][thread1][package.name]
在这种情况下,grok 会忽略最后一个字段 log_msg,并且不会插入到弹性搜索中。
但是,有没有什么办法,如果消息中不存在,我们可以为 log_msg 字段设置一个空字符串或说 "no data" 的字符串。
实际输出:
{
"message" => "[18-Aug-2016 02:28:46,537][ERROR][thread1][package.name]",
"@version" => "1",
"@timestamp" => "2016-08-17T12:31:58.209Z",
"path" => "/home/admin-nfv/test1_log.log",
"host" => "nendc1-bg-d104",
"date" => "18-Aug-2016",
"time" => "02:28:46,537",
"log_type" => "ERROR",
"thread_name" => "thread1",
"package" => "package.name"
}
预期输出:
{
"message" => "[18-Aug-2016 02:28:46,537][ERROR][thread1][package.name]",
"@version" => "1",
"@timestamp" => "2016-08-17T12:31:58.209Z",
"path" => "/home/admin-nfv/test1_log.log",
"host" => "nendc1-bg-d104",
"date" => "18-Aug-2016",
"time" => "02:28:46,537",
"log_type" => "ERROR",
"thread_name" => "thread1",
"package" => "package.name",
"log_msg" => "no data"
}
您可以添加一个 mutate 过滤器,如果它不存在,它将添加一个空字段:
filter {
if ![log_msg] {
mutate {
add_field => {"log_msg" => "no data" }
}
}
}
我正在尝试解析日志并使用 logstash 将其放入弹性搜索中。
我的日志文件格式如下
[18-Aug-2016 02:28:46,537][ERROR][thread1][package.name] there is error in line 52
\[%{GREEDYDATA:date} %{GREEDYDATA:time}\]\[%{LOGLEVEL:log_type}\]\[%{GREEDYDATA:thread_name}\]\[%{GREEDYDATA:package}\](%{GREEDYDATA:log_msg})?
当我 运行 这个 grok 过滤器时,我得到了正确的输出。但是,有些情况下我得到的输入没有最后一个字段 (log_msg)。像这样:
[18-Aug-2016 02:28:46,537][ERROR][thread1][package.name]
在这种情况下,grok 会忽略最后一个字段 log_msg,并且不会插入到弹性搜索中。
但是,有没有什么办法,如果消息中不存在,我们可以为 log_msg 字段设置一个空字符串或说 "no data" 的字符串。
实际输出:
{
"message" => "[18-Aug-2016 02:28:46,537][ERROR][thread1][package.name]",
"@version" => "1",
"@timestamp" => "2016-08-17T12:31:58.209Z",
"path" => "/home/admin-nfv/test1_log.log",
"host" => "nendc1-bg-d104",
"date" => "18-Aug-2016",
"time" => "02:28:46,537",
"log_type" => "ERROR",
"thread_name" => "thread1",
"package" => "package.name"
}
预期输出:
{
"message" => "[18-Aug-2016 02:28:46,537][ERROR][thread1][package.name]",
"@version" => "1",
"@timestamp" => "2016-08-17T12:31:58.209Z",
"path" => "/home/admin-nfv/test1_log.log",
"host" => "nendc1-bg-d104",
"date" => "18-Aug-2016",
"time" => "02:28:46,537",
"log_type" => "ERROR",
"thread_name" => "thread1",
"package" => "package.name",
"log_msg" => "no data"
}
您可以添加一个 mutate 过滤器,如果它不存在,它将添加一个空字段:
filter {
if ![log_msg] {
mutate {
add_field => {"log_msg" => "no data" }
}
}
}