我的 logstash 过滤器在调试器中正确,但在搜索我在 kibana 中测试的确切消息时不显示字段。这是我的过滤器:
filter {
if [type] == "syslog" {
grok {
match => { 'message' => '%{SYSLOG5424LINE}' }
}
syslog_pri {
syslog_pri_field_name => 'syslog5424_pri'
}
date {
match => [ 'syslog5424_ts', 'ISO8601' ]
}
}
这是我的日志消息的示例:
<134>1 2017-01-23T10:54:44.587136-08:00 mcmp mapp - - close ('xxx', 32415)
似乎过滤器未应用,我重新启动了我的 logstash 服务并在 grok 调试器中进行了测试。知道出了什么问题吗?
看起来它对我来说工作正常。
我创建了test.conf:
input {
stdin {}
}
filter {
grok {
match => { 'message' => '%{SYSLOG5424LINE}' }
}
syslog_pri {
syslog_pri_field_name => 'syslog5424_pri'
}
date {
match => [ 'syslog5424_ts', 'ISO8601' ]
}
}
output {
stdout { codec => "rubydebug" }
}
然后像这样测试:
echo "<134>1 2017-01-23T10:54:44.587136-08:00 mcmp mapp - - close ('xxx', 32415)" | bin/logstash -f test.conf
以及它作为输出给出的事件:
{
"syslog_severity_code" => 6,
"syslog_facility" => "local0",
"syslog_facility_code" => 16,
"syslog5424_ver" => "1",
"message" => "<134>1 2017-01-23T10:54:44.587136-08:00 mcmp mapp - - close ('xxx', 32415)",
"syslog5424_app" => "mapp",
"syslog5424_msg" => "close ('xxx', 32415)",
"syslog_severity" => "informational",
"tags" => [],
"@timestamp" => 2017-01-23T18:54:44.587Z,
"syslog5424_ts" => "2017-01-23T10:54:44.587136-08:00",
"syslog5424_pri" => "134",
"@version" => "1",
"host" => "xxxx",
"syslog5424_host" => "mcmp"
}
其中包含SYSLOG5424LINE模式包含的所有字段。