logstash 根据条件应用多个过滤器
logstash apply multiple filters based on condition
我的日志行如下:
11:05:44,924 DEBUG DataFeed:? - Data received: data=TextMessage={ Header={ JMSMessageID={ID:someId} JMSDestination={Topic[someTopic]} JMSReplyTo={null} JMSDeliveryMode={NON_PERSISTENT} JMSRedelivered={false} JMSCorrelationID={null} JMSType={null} JMSTimestamp={Tue Aug 30 11:05:44 BST 2016} JMSExpiration={Tue Aug 30 11:06:44 BST 2016} JMSPriority={4} } Properties={ ACTION={String:ADD} XT_S_USER={String:someString} APPNAME={String:someFeeName} XT_BOOK={String:someBook} } Text={<?xml version="1.0"?><!DOCTYPE PSRequest><PSRequest><trade>..XML Tags..</trade></PSRequest>} }
我正在尝试在上面的日志行上应用 XML 过滤器,但失败了:
:exception=>#<NoMethodError: undefined method `start_with?' for nil:NilClass>, :backtrace=>["/jruby/1.9/gems/logstash-core-event-2.3.2-java/lib/logstash/event.rb:130:in `[]='", "/jruby/1.9/gems/logstash-filter-xml-2.1.4/lib/logstash/filters/xml.rb:166:in `filter'", "/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/filters/base.rb:151:in `multi_filter'", "org/jruby/RubyArray.java:1613:in `each'", "/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/filters/base.rb:148:in `multi_filter'", "(eval):41:in `filter_func'", "/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:267:in `filter_batch'", "org/jruby/RubyArray.java:1613:in `each'", "org/jruby/RubyEnumerable.java:852:in `inject'", "/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:265:in `filter_batch'", "/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:223:in `worker_loop'", "/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:201:in `start_workers'"], :level=>:warn}
还有某些行没有XML内容,我想将它们发送到grok过滤器,我该如何实现?
编辑:
下面是关于如何实现的小片段
我的情况是这样的:
if(message.contains(certainText)) {
//apply grok filter and extract xml from it and send it to xml filter and then to ES
} else if(message.contains(someOtherText)) {
//Apply grok filter and extract key value pairs and send it to kv filter and then to ES
} else {
//straight away send that message to ES without any parsing.
}
XML 过滤器失败,因为输入无效 XML。
您必须提取 XML 然后使用 XML 过滤器。要提取 XML,您必须使用具有此模式的 grok 过滤器:
%{GREEDYDATA} Text={%{GREEDYDATA:xml}} }
它将创建一个名为 xml 的字段,其中包含:<?xml·version="1.0"?><!DOCTYPE·PSRequest><PSRequest><trade>..XML·Tags..</trade></PSRequest>
然后您可以在此字段上使用 xml 过滤器。
要将不包含 XML 的行发送到另一个 grok 过滤器,您可以使用 conditionals 分隔部分配置。如果您想要更准确的答案,您必须在日志中添加更多信息(最好使用其他问题)。
编辑:
if [message] ~= /certainText/ {
...
} else if [message] ~= /someOtherText/ {
...
} else {
...
}
我的日志行如下:
11:05:44,924 DEBUG DataFeed:? - Data received: data=TextMessage={ Header={ JMSMessageID={ID:someId} JMSDestination={Topic[someTopic]} JMSReplyTo={null} JMSDeliveryMode={NON_PERSISTENT} JMSRedelivered={false} JMSCorrelationID={null} JMSType={null} JMSTimestamp={Tue Aug 30 11:05:44 BST 2016} JMSExpiration={Tue Aug 30 11:06:44 BST 2016} JMSPriority={4} } Properties={ ACTION={String:ADD} XT_S_USER={String:someString} APPNAME={String:someFeeName} XT_BOOK={String:someBook} } Text={<?xml version="1.0"?><!DOCTYPE PSRequest><PSRequest><trade>..XML Tags..</trade></PSRequest>} }
我正在尝试在上面的日志行上应用 XML 过滤器,但失败了:
:exception=>#<NoMethodError: undefined method `start_with?' for nil:NilClass>, :backtrace=>["/jruby/1.9/gems/logstash-core-event-2.3.2-java/lib/logstash/event.rb:130:in `[]='", "/jruby/1.9/gems/logstash-filter-xml-2.1.4/lib/logstash/filters/xml.rb:166:in `filter'", "/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/filters/base.rb:151:in `multi_filter'", "org/jruby/RubyArray.java:1613:in `each'", "/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/filters/base.rb:148:in `multi_filter'", "(eval):41:in `filter_func'", "/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:267:in `filter_batch'", "org/jruby/RubyArray.java:1613:in `each'", "org/jruby/RubyEnumerable.java:852:in `inject'", "/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:265:in `filter_batch'", "/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:223:in `worker_loop'", "/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:201:in `start_workers'"], :level=>:warn}
还有某些行没有XML内容,我想将它们发送到grok过滤器,我该如何实现?
编辑:
下面是关于如何实现的小片段
我的情况是这样的:
if(message.contains(certainText)) {
//apply grok filter and extract xml from it and send it to xml filter and then to ES
} else if(message.contains(someOtherText)) {
//Apply grok filter and extract key value pairs and send it to kv filter and then to ES
} else {
//straight away send that message to ES without any parsing.
}
XML 过滤器失败,因为输入无效 XML。
您必须提取 XML 然后使用 XML 过滤器。要提取 XML,您必须使用具有此模式的 grok 过滤器:
%{GREEDYDATA} Text={%{GREEDYDATA:xml}} }
它将创建一个名为 xml 的字段,其中包含:<?xml·version="1.0"?><!DOCTYPE·PSRequest><PSRequest><trade>..XML·Tags..</trade></PSRequest>
然后您可以在此字段上使用 xml 过滤器。
要将不包含 XML 的行发送到另一个 grok 过滤器,您可以使用 conditionals 分隔部分配置。如果您想要更准确的答案,您必须在日志中添加更多信息(最好使用其他问题)。
编辑:
if [message] ~= /certainText/ {
...
} else if [message] ~= /someOtherText/ {
...
} else {
...
}