删除包含特定字符串的日志消息 [英] Drop log messages containing a specific string
问题描述
所以我有日志的格式:
[INFO] <blah.blah> 2016-06-27 21:41:38,263 some text
[INFO] <blah.blah> 2016-06-28 18:41:38,262 some other text
现在我想删除所有日志不包含特定字符串xyz,并保留所有其余的字符串。我也想索引时间戳。
Now I want to drop all logs that does not contain a specific string "xyz" and keep all the rest. I also want to index timestamp.
grokdebug 不是帮助很多
这是我的尝试:
input {
file {
path => "/Users/username/Desktop/validateLogconf/logs/*"
start_position => "beginning"
}
}
filter {
grok {
match => {
"message" => '%{SYSLOG5424SD:loglevel} <%{JAVACLASS:job}> %{GREEDYDATA:content}'
}
}
date {
match => [ "Date", "YYYY-mm-dd HH:mm:ss" ]
locale => en
}
}
output {
stdout {
codec => plain {
charset => "ISO-8859-1"
}
}
elasticsearch {
hosts => "http://localhost:9201"
index => "hello"
}
}
我是新来的上面的grok这样的模式可能没有意义。请帮助。
I am new to grok so patterns above might not be making sense. Please help.
推荐答案
删除不包含字符串 xyz :
if ([message] !~ "xyz") {
drop { }
}
您的grok模式没有抓住日志的日期部分。
一旦你有一个包含日期的格局模式的字段,你可以在这个字段上调用日期过滤器。
所以你的grok过滤器应该是这样的:
Your grok pattern is not grabbing the date part of your logs.
Once you have a field from your grok pattern containing the date, you can invoque the date filter on this field.
So your grok filter should look like this:
grok {
match => {
"message" => '%{SYSLOG5424SD:loglevel} <%{JAVACLASS:job}> %{TIMESTAMP_ISO8601:Date} %{GREEDYDATA:content}'
}
}
我添加了一个部分来抓取日期,这将在 Date 的字段中。然后你可以使用日期过滤器:
I added a part to grab the date, which will be in the field Date. Then you can use the date filter:
date {
match => [ "Date", "YYYY-mm-dd HH:mm:ss,SSS" ]
locale => en
}
我添加了,SSS 使格式与 Date 字段匹配。
解析的日期将存储在 @timestamp 字段中,除非与目标参数不同。
I added the ,SSS so that the format match the one from the Date field.
The parsed date will be stored in the @timestamp field, unless specified differently with the target parameter.
这篇关于删除包含特定字符串的日志消息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
