我试图让grok使用logstash,但很难摆脱起步阶段。我试图将事情简化为一个简洁的测试,它就在这里:
require "test_utils"
describe "basic grokking" do
extend LogStash::RSpec
config <<-CONFIG
filter {
grok {
match => [ "message", "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" ]
}
}
CONFIG
sample ({'@message' => '55.3.244.1 GET /index.html 15824 0.043'}) do
puts subject.inspect # view http://www.codeshare.io/OhDC0
insist { subject["client"] } == "55.3.244.1"
end
end
我得到以下错误:
1) basic grokking "{"@message":"55.3.244.1 GET /index.html 15824 0.043..." when processed
Failure/Error: Unable to find matching line from backtrace
Insist::Failure:
Expected "55.3.244.1", but got nil
再多的语法调整也不会得到结果,我也不知道如何检查subject来找出其中的内容。
最终目的是使用grok提取以下HttpRequestId:
[HttpRequestId = e29041b2-a4a0-4bf3-ba05-2de5e7bcf444] 2015/04/10 08:12:51:632 [DEBUG] ... log message ...
使用类似的东西:
grok {
match => [ "Message", "[HttpRequestId = %{UUID:HttpRequestId}" ]
}
注意我已经对照https://grokdebug.herokuapp.com/他们工作。这与我的测试方式有关。
经过广泛的研究,以下是logstash 1.4.2:的grok表达式的最小rspec测试
# encoding: utf-8
require "test_utils"
describe "simple test" do
extend LogStash::RSpec
config <<-CONFIG
filter {
grok {
match => { "message" => "am%{GREEDYDATA:foo}" }
}
}
CONFIG
sample 'amessage' do
insist { subject["foo"] } == "essage"
insist { subject["message"] } == "amessage"
end
end
请注意,您必须有# encoding ...行,否则您将得到Expected "essage", but got nil消息。
此邮件列表消息有助于:https://groups.google.com/d/msg/logstash-users/rs6jlAxv36M/1ylU-GJ-DVQJ