我用regex编写了一个grokfilter,在Grok Debugger中,配置可以正常工作,但当我想在logstash.conf中匹配时,结果总是"grokparsefailure"
我想要匹配的消息是:10.196.3.3-[2014年8月1日:00:00:16+0200]"GET/HTTP/1.1"200 1507"-"
我在grok调试器中的过滤器是:
(?<clientIP>[^ ]*)[^[]*[(?<timestamp>.{26})] "(?<httpRequest>[^"]*)" (?<httpStatusCode>d{3}) (?<bytesSent>[^ ]*) "(?<Referer>[^"]*)" "(?<userAgent>[^"]*)"
完整的conf是:
input {
file {
type => 'jboss_log'
path => '/home/christian/Downloads/access-logs-2014-08/vlpr133-2014-08/jBoss_http_access*.log'
start_position => 'beginning'
}
}
filter {
if [type] == 'jboss_log' {
grok {
match => [' message', '(?<clientIP>[^ ]*)[^[]*[(?<timestamp>.{26})] "(?<httpRequest>[^"]*)" (?<httpStatusCode>d{3}) (?<bytesSent>[^ ]*) "(?<Referer>[^"]*)" "(?<userAgent>[^"]*)"']
#tag_on_failure => [ ]
}}}
output {
stdout{codec => json }
elasticsearch {cluster => 'elasticsearch' }
}
所以也许有人能帮我?!
ups解决方案是在"message"之前有一个空白:D