【logstash】 - 使用mutate处理数据

mutate:http://www.logstash.net/docs/1.4.2/filters/mutate

使用logstash提取oracle的alter日志的ora错误。
日志格式如下：

alter database open
Errors in file d:\oracle\diag\rdbms\hxw168\hxw168\trace\hxw168_ora_6148.trc:
ORA-01589: 要打开数据库则必须使用 RESETLOGS 或 NORESETLOGS 选项
ORA-1589 signalled during: alter database open...
alter database open resetlogs

logstash内容：

input{
file{
codec => plain {
charset => "CP936" #windows下的编码是cp936(chcp查看)
}
type => "oracleerr"
path => "D:/logsystem/logstash/bin/test/alert_hxw168.log"
start_position => "beginning"
}
#stdin{type => "hxwtest"}

}

filter{
mutate{
#以:号分割message内容，分割后以数据方式显示。
#比如abc:efg => message[0] = abc message[1]=efg

split => ["message",":"]
}
#第一个数据的内容中ORA-xxxxx这种格式，则这条内容是ora错误。添加二个字段
#oraerr orades

if [message][0] =~ /^ORA-[0-9]{5}/ {
mutate{
add_field =>   {
"ORAERR" => "%{[message][0]}"
"ORADES" => "%{[message][1]}"
}
}
}

}

output{
#有ORAERR字段，则输出。
if [ORAERR]{
stdout{
codec => rubydebug
}
}

}

结果：

1.
{
"message" => [
[0] "ORA-00322",
[1] " 日志 2 (用于线程 1) 不是最新副本\r"
],
"@version" => "1",
"@timestamp" => "2014-12-12T15:50:53.790Z",
"type" => "oracleerr",
"host" => "huangwen",
"path" => "D:/logsystem/logstash/bin/test/alert_hxw168.log",
"ORAERR" => "ORA-00322",
"ORADES" => " 日志 2 (用于线程 1) 不是最新副本\r"
}

2.
{
"message" => [
[0] "ORA-00312",
[1] " 联机日志 2 线程 1",
[2] " 'D",
[3] "\\ORACLE\\ORADATA\\HXW168\\REDO02.LOG'\r"
],
"@version" => "1",
"@timestamp" => "2014-12-12T15:50:53.790Z",
"type" => "oracleerr",
"host" => "huangwen",
"path" => "D:/logsystem/logstash/bin/test/alert_hxw168.log",
"ORAERR" => "ORA-00312",
"ORADES" => " 联机日志 2 线程 1"
}

本文出自 “尽管错，让我错到死！” 博客，请务必保留此出处http://hxw168.blog.51cto.com/8718136/1589498