各位大虾好!
我的日志文件是如下这个样式的:
100.97.73.217 - - [19/Feb/2019:18:15:59 +0800] "GET /wap_themes/app-online625/images/sec-dev/plugin/LArea/LArea.css HTTP/1.1" 499 0 "https://www.lechange.com/wap/n ... ot%3B "Mozilla/5.0 (Linux; Android 7.1.1; OPPO A77 Build/NMF26F; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.132 MQQBrowser/6.2 TBS/044408 Mobile Safari/537.36"
100.97.73.215 - - [19/Feb/2019:18:15:59 +0800] "GET /wap_themes/app-online625/images/styles.css HTTP/1.1" 499 0 "https://www.lechange.com/wap/n ... ot%3B "Mozilla/5.0 (Linux; Android 7.1.1; OPPO A77 Build/NMF26F; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.132 MQQBrowser/6.2 TBS/044408 Mobile Safari/537.36"
100.117.56.243 - - [19/Feb/2019:18:15:59 +0800] "HEAD / HTTP/1.0" 200 0 "-" "-"
我的grok匹配规则是:
%{IPORHOST:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:http_version})?|-)\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QUOTEDSTRING:domain} %{QUOTEDSTRING:data}
这个规则已经在 https://grokdebug.herokuapp.com/ 测试通过了。然后我就写入到logstash的filter里,如附件:
但是在kibana里发现index都成功生成了,而日志并没有被成功的匹配,message还在,感觉整个grok部分没有生效,请问我错在哪里的?
感谢各位解答!
@rochy大神,改成您的grok匹配规则之后,发现还是没有成功,如图:
我的日志文件是如下这个样式的:
100.97.73.217 - - [19/Feb/2019:18:15:59 +0800] "GET /wap_themes/app-online625/images/sec-dev/plugin/LArea/LArea.css HTTP/1.1" 499 0 "https://www.lechange.com/wap/n ... ot%3B "Mozilla/5.0 (Linux; Android 7.1.1; OPPO A77 Build/NMF26F; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.132 MQQBrowser/6.2 TBS/044408 Mobile Safari/537.36"
100.97.73.215 - - [19/Feb/2019:18:15:59 +0800] "GET /wap_themes/app-online625/images/styles.css HTTP/1.1" 499 0 "https://www.lechange.com/wap/n ... ot%3B "Mozilla/5.0 (Linux; Android 7.1.1; OPPO A77 Build/NMF26F; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.132 MQQBrowser/6.2 TBS/044408 Mobile Safari/537.36"
100.117.56.243 - - [19/Feb/2019:18:15:59 +0800] "HEAD / HTTP/1.0" 200 0 "-" "-"
我的grok匹配规则是:
%{IPORHOST:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:http_version})?|-)\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QUOTEDSTRING:domain} %{QUOTEDSTRING:data}
这个规则已经在 https://grokdebug.herokuapp.com/ 测试通过了。然后我就写入到logstash的filter里,如附件:
但是在kibana里发现index都成功生成了,而日志并没有被成功的匹配,message还在,感觉整个grok部分没有生效,请问我错在哪里的?
感谢各位解答!
@rochy大神,改成您的grok匹配规则之后,发现还是没有成功,如图:
4 个回复
ChrisChan - 我爱我鸟~
赞同来自: tacsklet
原来不能以日志的样子做grok,而是要以kibana实际展示的样子做grok。
kibana会自动给双引号添加一个转义符,所以有些字段反而不能用QS,要用DATA搭配\\"
rochy - rochy_he
赞同来自:
rochy - rochy_he
赞同来自:
tacsklet - 公司有用到es
赞同来自: