logstash grok filter-grok解析失败 [英] logstash grok filter-grok parse failure

查看:126
本文介绍了logstash grok filter-grok解析失败的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有多行自定义日志,我正在通过filebeat multiline关键字将其作为一行处理.现在,每行的末尾都包含\ n.但是,这会导致我的logstsash配置文件中的grok解析失败.有人可以帮我这个忙吗?这是所有人的样子:

I have multiline custom logs which I am processing as a single line by the filebeat multiline keyword. Now this includes \n at the end of each line. This however causes grok parse failure in my logstsash config file. Can someone help me on this. Here is how all of them look like:

请使用grok过滤器帮助我以下行:

Please help me with the grok filter for the following line:

11/18/2016 3:05:50 AM:\ n引发的错误是:\ nEmpty排队\ n ***************************************************************************** \ n已发送请求是:\ nhpi_hho_de,2015423181057,e06106f64e5c40b4b72592196a7a45cd \ n ****************************************************************************** \ n收到的响应为:\ nQSS RMS保留哈希表为空\ n *************************************************************************

11/18/2016 3:05:50 AM : \nError thrown is:\nEmpty Queue\n*************************************************************************\nRequest sent is:\nhpi_hho_de,2015423181057,e06106f64e5c40b4b72592196a7a45cd\n*************************************************************************\nResponse received is:\nQSS RMS Holds Hashtable is empty\n*************************************************************************

推荐答案

正如@Mohsen所建议的那样,您可能必须使用

As @Mohsen suggested you might have to use the gsub filter in order to replace all the new line characters in your log line.

filter {
  mutate {
    gsub => [
      # replace all forward slashes with underscore
      "fieldname", "\n", ""         
    ]
  }
}

也许您也可以在 if 条件下执行上述操作,以确保没有任何 grokparse 故障.

Maybe you could also do the above within an if condition, to make sure that there's no any grokparse failure.

if "_grokparsefailure" in [tags] or "_dateparsefailure" in [tags] {
    drop { }
}else{
  mutate {
    gsub => [
      # replace all forward slashes with underscore
      "fieldname", "\n", ""         
    ]
  }
}

希望这会有所帮助!

这篇关于logstash grok filter-grok解析失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆