使用Losgtash解析日志 [英] Parse a log using Losgtash

问题描述

我正在使用Logstash解析日志文件.日志行示例如下所示.

I am using Logstash to parse a log file. A sample log line is shown below.

2011/08/10 09:51:34.450457,1.048908，tcp，213.200.244.217,47908，->，147.32.84.59,6881，S_RA，0,0,4,244,124，flow =背景建立的cmpgw-CVUT

2011/08/10 09:51:34.450457,1.048908,tcp,213.200.244.217,47908, ->,147.32.84.59,6881,S_RA,0,0,4,244,124,flow=Background-Established-cmpgw-CVUT

我在配置文件中使用以下过滤器.

I am using following filter in my confguration file.

 grok {
       match => ["message","%{DATESTAMP:timestamp},%{BASE16FLOAT:value},%{WORD:protocol},%{IP:ip},%{NUMBER:port},%{GREEDYDATA:direction},%{IP:ip2},%{NUMBER:port2},%{WORD:status},%{NUMBER:port3},%{NUMBER:port4},%{NUMBER:port5},%{NUMBER:port6},%{NUMBER:port7},%{WORD:flow}" ]
    }

它适用于无错误的日志行.但是当我有下面这样的一行时，它失败了.请注意，第二个字段丢失.

It works well for error-free log lines. But when I have a line like below, it fails. Note that the second field is missing.

2011/08/10 09:51:34.450457，，tcp，213.200.244.217,47908，->，147.32.84.59,6881，S_RA，0,0,4,244,124，flow =背景建立的cmpgw-CVUT

2011/08/10 09:51:34.450457,,tcp,213.200.244.217,47908, ->,147.32.84.59,6881,S_RA,0,0,4,244,124,flow=Background-Established-cmpgw-CVUT

如果缺少值，我想在我的输出Json对象中放一个默认值.我该怎么办?

I want to put a default value in there in my output Json object, if a value is missing. how can I do that?

推荐答案

在conf文件中使用它.现在，如果value字段为空，则将其忽略.

Use it in your conf file. Now, if value field is empty it will omit it in response.

input {
   stdin{
   }
}
filter {

grok {
       match => ["message","%{DATESTAMP:timestamp},%{DATA:value},%{WORD:protocol},%{IP:ip},%{NUMBER:port},%{GREEDYDATA:direction},%{IP:ip2},%{NUMBER:port2},%{WORD:status},%{NUMBER:port3},%{NUMBER:port4},%{NUMBER:port5},%{NUMBER:port6},%{NUMBER:port7},%{WORD:flow}" ]
    }

}
output {
  stdout {
        codec => rubydebug
  }
}

这篇关于使用Losgtash解析日志的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！