我的日志是这样的:
[2017-05-17 22:22:55,708][WARN ][index.indexing.slowlog.index] [Torpedo][bank][1] took[101.4ms], took_millis[101], type[detail], id[88], routing[] , source[{"account_number":25,"balance":40540,"firstname":"Virginia","lastname":"Ayala","age":39,"gender":"F","address":"171 Putnam Avenue","employer":"Filodyne","email":"virginiaayala@filodyne.com","city":"Nicholson","state":"PA"}]
[2017-05-17 22:23:35,292][WARN ][index.indexing.slowlog.index] [Torpedo][bank][4] took[10.4ms], took_millis[10], type[detail], id[69], routing[] , source[{"account_number":25,"balance":40540,"firstname":"Virginia","lastname":"Ayala","age":39,"gender":"F","address":"171 Putnam Avenue","employer":"Filodyne","email":"virginiaayala@filodyne.com","city":"Nicholson","state":"PA"}]
我的格鲁克是这样的:
filter {
grok {
match => [ "message", "[%{TIMESTAMP_ISO8601:TIMESTAMP}][%{LOGLEVEL:LEVEL}%{SPACE}][%{DATA:QUERY}]%{SPACE}[%{DATA:QUERY1}]%{SPACE}[%{DATA:INDEX-NAME}][%{DATA:SHARD}]%{SPACE}took[%{DATA:TOOK}],%{SPACE}took_millis[%{DATA:TOOKM}], type[%{DATA:type}], id[%{NUMBER:id}], routing[%{DATA:routing}], source[%{DATA:source}],"]
}
}
当我签入 grokconstructor 网站时,它显示为匹配.
[2017-05-17 22:22:55,708][WARN ][index.indexing.slowlog.index] [Torpedo][bank][1] took[101.4ms], took_millis[101], type[detail], id[88], routing[], source[{"account_number":25,"balance":40540,"firstname":"Virginia","lastname":"Ayala","age":39,"gender":"F","address":"171 Putnam Avenue","employer":"Filodyne","email":"virginiaayala@filodyne.com","city":"Nicholson","state":"PA"}]
MATCHED
source {"account_number":25,"balance":40540,"firstname":"Virginia","lastname":"Ayala","age":39,"gender":"F","address":"171·Putnam·Avenue","employer":"Filodyne","email":"virginiaayala@filodyne.com","city":"Nicholson","state":"PA"}
INDEX-NAME bank
SHARD 1
QUERY index.indexing.slowlog.index
LEVEL WARN
id 88
TOOK 101.4ms
TOOKM 101
routing
TIMESTAMP 2017-05-17·22:22:55,708
QUERY1 Torpedo
type detail
before match: [
当我通过 logstash 执行此操作时,它会抛出这样的错误:
"message" => "[2017-05-17 22:23:35,292][WARN ][index.indexing.slowlog.index] [Torpedo][bank][4] took[10.4ms], took_millis[10], type[detail], id[69], routing[] , source[{"account_number":25,"balance":40540,"firstname":"Virginia","lastname":"Ayala","age":39,"gender":"F","address":"171 Putnam Avenue","employer":"Filodyne","email":"virginiaayala@filodyne.com","city":"Nicholson","state":"PA"}]r",
"@version" => "1",
"@timestamp" => "2017-05-17T17:35:36.287Z",
"path" => "F:\logstash-2.4.0\logstash-2.4.0\bin\index.txt",
"host" => "yaswanth",
"tags" => [
[0] "_grokparsefailure"
]
我怎样才能避免这种情况?
谢谢
routing[] ,
在路由字段之后,我忘记保留空格(即%{空格}(。这就是错误。