谁能说得更清楚些?当我对grokdebug和grokconstructor进行测试时,我的grok模式工作得很好,但是当我把它放在Logastash中时,它从一开始就失败了。非常感谢任何指导。下面是我的过滤器和日志条目示例。
{"casename":"null","username":"null","startdate":"2015-05-26T01:09:23Z","enddate":"2015-05-26T01:09:23Z","time":"0.0156249","methodname":"null","url":"http://null.domain.com/null.php/null/jobs/_search?q=jobid:"0"&size=100&from=0","errortype":"null","errorinfo":"null","postdata":"null","methodtype":"null","servername":"null","gaggleid":"a51b90d6-1f82-46a7-adb9-9648def879c5","date":"2015-05-26T01:09:23Z","firstname":"null","lastname":"null"}
filter {
if [type] == 'EventLog' {
grok {
match => { 'message' => ' {"casename":"%{WORD:casename}","username":"%{WORD:username}","startdate":"%{TIMESTAMP_ISO8601:startdate}","enddate":"%{TIMESTAMP_ISO8601:enddate}","time":"%{NUMBER:time}","methodname":"%{WORD:methodname}","url":"%{GREEDYDATA:url}","errortype":"%{WORD:errortype}","errorinfo":"%{WORD:errorinfo}","postdata":"%{GREEDYDATA:postdata}","methodtype":"%{WORD:methodtype}","servername":"%{HOST:servername}","gaggleid":"%{GREEDYDATA:gaggleid}","date":"%{TIMESTAMP_ISO8601:date}","firstname":"%{WORD:firstname}","lastname":"%{WORD:lastname}"} '
}
}
}
}
"从一开始就失败",真的!看到了吗?
'message' => ' {"casename"
^^^
在输入中没有起始(或尾随)空格,但是在模式中有它们。删除它们,它在logstash中工作得很好。
顺便说一句,你见过json编解码器或过滤器吗?