解析错误"_grokparsefailure";在LogStash中 [英] Parsing error "_grokparsefailure" in LogStash
问题描述
首先,我在syslog中显示了Kibana中的日志,并且工作正常.我根据文档进行了设置.
At first I displayed the logs in Kibana from the syslog and it worked fine. I set it up according to the documentation.
现在,我更改了日志的来源,现在它可以从我的Web应用程序中检索日志,尽管Kibana仍然可以正确显示它们,但是现在存在标签"_grokparsefailure",这意味着在解析日志时出错日志.
Now I've changed the source of the logs, now it retrieves logs from my web application and although Kibana still displays them kind of correctly, now there're the Tags "_grokparsefailure" which means that there's an error in parsing the logs.
我当前使用的过滤器:
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
如何找出解析错误在哪里?是否有在线服务可以帮助我为新日志创建grok模式?还有其他建议吗?
How can I find out where the parsing error is? Is there an online service which would help me create a grok pattern for my new logs? Any other advice?
更新:日志位于json中.
UPDATE: the logs are in json.
推荐答案
响应OP:
是否存在可以帮助我为新日志创建grok模式的在线服务?
Is there an online service which would help me create a grok pattern for my new logs?
我最喜欢的测试grok模式的工具是: http://grokconstructor.appspot.com/do/match
My favorite tool for testing grok patterns is: http://grokconstructor.appspot.com/do/match
但是我知道有人更喜欢: https://grokdebug.herokuapp.com/
But I know some prefer: https://grokdebug.herokuapp.com/
您的日志可能无法正确解析,因为您正在对非syslog格式的日志使用syslog模式.
Your logs probably aren't parsing properly because you're using the syslog pattern on logs that aren't in the syslog format.
对于json日志解析,您可能需要查看 json过滤器或 json编解码器
For json log parsing you may want to look at either the json filter or the json codec
这篇关于解析错误"_grokparsefailure";在LogStash中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
