0
Logstash可以自動識別日誌中的KV對並解析它們,就像splunk一樣。logstash可以自動識別日誌中的KV對並解析它們
我實際上寫了一個GROK過濾器,它解析字段並定義了一個KV過濾器,以便可以解析出額外的字段。但是一些日誌非常隨機,他們不符合我的GROK,並且從這些日誌中我必須將KV對解析爲字段。
我寫了一個神交:
%{MONTHDAY} %{MONTH} %{YEAR} %{TIME},%{NUMBER:duration} %{WORD:loglevel}%{SPACE}%{WORD:Activity} \[\{%{DATA:foo1}\}\]: %{GREEDYDATA:foo2}
,並在logstash配置文件,我將定義的字段foo1和foo2的對KV過濾器。
下面是其中我期待被解析成其他字段的日誌行:
[%t] 08 Aug 2017 18:55:38,179 INFO ApiConsumer [{applicationSystemCode=monicapp-app, clientIP=10.x.x.x, clusterId=Cluster-Id-NA, containerId=Container-Id-NA, correlationId=205c2806-2f97-f42f-00f5-9a43aafb9eb3, domainName=defaultDomain, hostName=10.x.x.x.domain.com, messageId=10.202.100.34-4041d41d-75f3-4282-9aab-dd1ab17ecdf3, userId=ANONYMOUS, webAnalyticsCorrelationId=B347BC083EB9DCE4ED5005506F1F1E63|}]: Accept="applications/json; v=1.0" Api-key="272df4bd-cb92-467e-b20b-4059e235b68e" Client-Correlation-Id="205c2806-2f97-f42f-00f5-9a43aafb9eb3" Content-Type="application/json" URL="https://mus.domain.com/private/appm/details-search"
[%t] 08 Aug 2017 18:55:38,203 INFO ApiConsumer [{applicationSystemCode=monicapp-app, clientIP=10.x.x.x, clusterId=Cluster-Id-NA, containerId=Container-Id-NA, correlationId=205c2806-2f97-f42f-00f5-9a43aafb9eb3, domainName=defaultDomain, hostName=ip-x-x-x.domain.com, messageId=10.x.x.34-4041d41d-75f3-4282-9aab-dd1ab17ecdf3, userId=ANONYMOUS, webAnalyticsCorrelationId=B347BC083EB9DCE4ED5005506F1F1E63|}]: KpiMetric="Cta" TransactionName="ApplicationDetail" TransactionStatus="Success" User="Associate(firstName=mike, lastName=daniel, role=Consultant, [email protected], electronicId=mkd)"
第二日誌行這裏的挑戰在這裏我想也解析裏面User="Associate(firstName=mike, lastName=daniel, role=Consultant, [email protected], electronicId=mkd)"
領域有什麼想法嗎?