从日志路径解析的字段未添加到 logstash 中
Fields parsed from log path not added in logstash
我正在使用 logstash 解析多个日志文件 - 并希望将基于文件路径的字段添加到我的输出中。以下是配置文件的相关部分:
input {
file {
path => "/mnt/logs/**/console-20200108*.log"
type => "tomcat"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
if [type] == "tomcat" {
grok {
patterns_dir => "/usr/share/logstash/patterns"
match => {
"message" => [ "%{TOMCAT_LOG_1}", "%{TOMCAT_LOG_2}" ]
"path" => "\/mnt\/logs\/%{DATA:site}\/%{DATA:version}\/node%{NUMBER:node}\/store\/tomcat\/%{DATA:file}\.log"
}
}
}
}
这是一个示例输出:
{
"level" => "INFO",
"type" => "tomcat",
"data" => "Finished indexer cronjob.\r",
"timestamp" => "08-Jan-2020 11:00:05.860",
"qualifier1" => "[update-backofficeIndex-CronJob::ServicelayerJob]",
"@timestamp" => 2020-01-08T11:04:47.364Z,
"path" => "/mnt/logs/protec/qa/node1/store/tomcat/console-20200108.log",
"qualifier3" => "[SolrIndexerJob]",
"host" => "elk",
"@version" => "1",
"message" => "INFO | jvm 1 | srvmain | 08-Jan-2020 11:00:05.860 INFO [update-backofficeIndex-CronJob::ServicelayerJob] (update-backofficeIndex-CronJob) [SolrIndexerJob] Finished indexer cronjob.\r",
"qualifier2" => "(update-backofficeIndex-CronJob)"
}
基于此,我期望从解析消息中获取相关字段,并从解析路径中获取更多字段。然而,我添加了 none 的 "path" 解析字段。
我错过了什么?如何添加 site、version、node 和 file 字段?
根据解决问题的评论创建答案(因此是社区维基)。
显然它可能来自 break_on_match option,默认为 true。来自文档:
The first successful match by grok will result in the filter being finished. So if %{TOMCAT_LOG_1} or %{TOMCAT_LOG_2} match, it won't try to match the path field
我正在使用 logstash 解析多个日志文件 - 并希望将基于文件路径的字段添加到我的输出中。以下是配置文件的相关部分:
input {
file {
path => "/mnt/logs/**/console-20200108*.log"
type => "tomcat"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
if [type] == "tomcat" {
grok {
patterns_dir => "/usr/share/logstash/patterns"
match => {
"message" => [ "%{TOMCAT_LOG_1}", "%{TOMCAT_LOG_2}" ]
"path" => "\/mnt\/logs\/%{DATA:site}\/%{DATA:version}\/node%{NUMBER:node}\/store\/tomcat\/%{DATA:file}\.log"
}
}
}
}
这是一个示例输出:
{
"level" => "INFO",
"type" => "tomcat",
"data" => "Finished indexer cronjob.\r",
"timestamp" => "08-Jan-2020 11:00:05.860",
"qualifier1" => "[update-backofficeIndex-CronJob::ServicelayerJob]",
"@timestamp" => 2020-01-08T11:04:47.364Z,
"path" => "/mnt/logs/protec/qa/node1/store/tomcat/console-20200108.log",
"qualifier3" => "[SolrIndexerJob]",
"host" => "elk",
"@version" => "1",
"message" => "INFO | jvm 1 | srvmain | 08-Jan-2020 11:00:05.860 INFO [update-backofficeIndex-CronJob::ServicelayerJob] (update-backofficeIndex-CronJob) [SolrIndexerJob] Finished indexer cronjob.\r",
"qualifier2" => "(update-backofficeIndex-CronJob)"
}
基于此,我期望从解析消息中获取相关字段,并从解析路径中获取更多字段。然而,我添加了 none 的 "path" 解析字段。
我错过了什么?如何添加 site、version、node 和 file 字段?
根据解决问题的评论创建答案(因此是社区维基)。
显然它可能来自 break_on_match option,默认为 true。来自文档:
The first successful match by grok will result in the filter being finished. So if
%{TOMCAT_LOG_1}or%{TOMCAT_LOG_2}match, it won't try to match the path field