Logstash _grokparsefailure



谁能说得更清楚些?当我对grokdebug和grokconstructor进行测试时,我的grok模式工作得很好,但是当我把它放在Logastash中时,它从一开始就失败了。非常感谢任何指导。下面是我的过滤器和日志条目示例。

{"casename":"null","username":"null","startdate":"2015-05-26T01:09:23Z","enddate":"2015-05-26T01:09:23Z","time":"0.0156249","methodname":"null","url":"http://null.domain.com/null.php/null/jobs/_search?q=jobid:"0"&size=100&from=0","errortype":"null","errorinfo":"null","postdata":"null","methodtype":"null","servername":"null","gaggleid":"a51b90d6-1f82-46a7-adb9-9648def879c5","date":"2015-05-26T01:09:23Z","firstname":"null","lastname":"null"}

filter {
  if [type] == 'EventLog' {
    grok {
      match => { 'message' =>  ' {"casename":"%{WORD:casename}","username":"%{WORD:username}","startdate":"%{TIMESTAMP_ISO8601:startdate}","enddate":"%{TIMESTAMP_ISO8601:enddate}","time":"%{NUMBER:time}","methodname":"%{WORD:methodname}","url":"%{GREEDYDATA:url}","errortype":"%{WORD:errortype}","errorinfo":"%{WORD:errorinfo}","postdata":"%{GREEDYDATA:postdata}","methodtype":"%{WORD:methodtype}","servername":"%{HOST:servername}","gaggleid":"%{GREEDYDATA:gaggleid}","date":"%{TIMESTAMP_ISO8601:date}","firstname":"%{WORD:firstname}","lastname":"%{WORD:lastname}"} '
     }
   }
  }
 }

"从一开始就失败",真的!看到了吗?

'message' =>  ' {"casename"
              ^^^

在输入中没有起始(或尾随)空格,但是在模式中有它们。删除它们,它在logstash中工作得很好。

顺便说一句,你见过json编解码器或过滤器吗?

相关内容

  • 没有找到相关文章

最新更新