發送slowlogs到.csv文件？

Question

我正在使用logstash 2.4.0和logstash 2.4.0 我想使用logstash將slowlogs發送到.csv輸出文件。我的配置文件是這樣的

 input { 
    file { 
    path => "D:\logstash-2.4.0\logstash-2.4.0\bin\rachu.log" 
    start_position => "beginning" 
    } 
} 

filter { 
    grok { 
     match => [ "message", 

"\[%{TIMESTAMP_ISO8601:TIMESTAMP}\]\[%{LOGLEVEL:LEVEL}%{SPACE}\]\[%{DATA:QUERY}\]%{SPACE}\[%{DATA:QUERY1}\]%{SPACE}\[%{DATA:INDEX-NAME}\]\[%{DATA:SHARD}\]%{SPACE}took\[%{DATA:TOOK}\],%{SPACE}took_millis\[%{DATA:TOOKM}\], types\[%{DATA:types}\], stats\[%{DATA:stats}\],search_type\[%{DATA:search_type}\], total_shards\[%{NUMBER:total_shards}\], source\[%{DATA:source_query}\], extra_source\[%{DATA:extra_source}\],"] 
    } 
} 
output { 
    csv { 
     fields => ["TIMESTAMP","LEVEL","QUERY","QUERY1","INDEX-NAME","SHARD","TOOK","TOOKM","types","stats","search_type","total_shards","source_query","extra_source"] 
     path => "D:\logstash-2.4.0\logstash-2.4.0\bin\logoutput.csv" 
     spreadsheet_safe => false 
    } 

} 

Answer 1

csv過濾器在您的上下文中沒有用處。它的目標是解析傳入的CSV數據，但這不是你所擁有的。你需要的是先解析與grok過濾日誌線，只有這樣，你就可以正確地將其發送至csv輸出：

filter { 
    grok { 
     match => {"message" => "\[%{TIMESTAMP_ISO8601:TIMESTAMP}\]\[%{LOGLEVEL:LOGLEVEL} \]\[%{DATA:QUERY}\] \[%{WORD:QUERY1}\] \[%{WORD:INDEX}\]\[%{INT:SHARD}\] took\[%{BASE10NUM:TOOK}ms\], took_millis\[%{BASE10NUM:took_millis}\], types\[%{DATA:types}\], stats\[%{DATA:stats}\], search_type\[%{DATA:search_type}\], total_shards\[%{INT:total_shards}\], source\[%{DATA:source}\], extra_source\[%{DATA:extra_source}\]"} 
    } 
} 
output { 
    csv { 
     fields => ["TIMESTAMP","LOGLEVEL","QUERY","QUERY1","INDEX-NAME","SHARD","TOOK","took_millis","types","stats","search_type","total_shards","source_query","extra_source"] 
     path => "F:\logstash-5.1.1\logstash-5.1.1\finaloutput1" 
     spreadsheet_safe => false 
    } 
} 

注：這還不能在Logstash 5.1工作。 1因爲this open issue。它應該儘快得到解決，但同時它適用於Logstash 2.4。