LogStash的Filter的使用
2015-08-27 10:35
330 查看
最近在项目中使用LogStash做日志的采集和过滤,感觉LogStash还是很强大的。
input:接入数据源
filter:对数据源进行过滤
output: 输出的
其中最重要的是filter的处理,目前我们的需求是需要对字符串进行key-value的提取
1、使用了mutate中的split,能通过分割符对分本处理。
2、通过grok使用正则对字符串进行截取处理。
3、使用kv 提取所有的key-value
input { file{ path => "/XXX/syslog.txt" start_position => beginning codec => multiline{ patterns_dir => ["/XX/logstash-1.5.3/patterns"] pattern => "^%{MESSAGE}" negate => true what => "previous" } } } filter{ mutate{ split => ["message","|"] add_field => { "tmp" => "%{[message][0]}" } add_field => { "DeviceProduct" => "%{[message][2]}" } add_field => { "DeviceVersion" => "%{[message][3]}" } add_field => { "Signature ID" => "%{[message][4]}" } add_field => { "Name" => "%{[message][5]}" } } mutate{ split => ["tmp",":"] add_field => { "tmp1" => "%{[tmp][1]}" } add_field => { "Version" => "%{[tmp][2]}" } remove_field => [ "tmp" ] } grok{ patterns_dir => ["/XXX/logstash-1.5.3/patterns"] match => {"tmp1" => "%{TYPE:type}"} remove_field => [ "tmp1"] } kv{ include_keys => ["eventId", "msg", "end", "mrt", "modelConfidence", "severity", "relevance","assetCriticality","priority","art","rt","cs1","cs2","cs3","locality","cs2Label","cs3Label","cs4Label","flexString1Label","ahost","agt","av","atz","aid","at","dvc","deviceZoneID","deviceZoneURI","dtz","eventAnnotationStageUpdateTime","eventAnnotationModificationTime","eventAnnotationAuditTrail","eventAnnotationVersion","eventAnnotationFlags","eventAnnotationEndTime","eventAnnotationManagerReceiptTime","_cefVer","ad.arcSightEventPath"] } mutate{ split => ["ad.arcSightEventPath",","] add_field => { "arcSightEventPath" => "%{[ad.arcSightEventPath][0]}" } remove_field => [ "ad.arcSightEventPath" ] remove_field => [ "message" ] } } output{ kafka{ topic_id => "rawlog" batch_num_messages => 20 broker_list => "10.3.162.193:39192,10.3.162.194:39192,10.3.162.195:39192" codec => "json" } stdout{ codec => rubydebug }
input:接入数据源
filter:对数据源进行过滤
output: 输出的
其中最重要的是filter的处理,目前我们的需求是需要对字符串进行key-value的提取
1、使用了mutate中的split,能通过分割符对分本处理。
2、通过grok使用正则对字符串进行截取处理。
3、使用kv 提取所有的key-value
相关文章推荐
- 7 个去伪存真的 JavaScript 面试题
- 调用DEDE日期时间格式整理大全
- 控件随手指移动动画
- 黑马程序员——C语言之文件操作
- 桥接模式
- ZTE 继承与访问控制
- JavaScript基本数据类型及值类型和引用类型
- 关于他们回答的 "怎样在桌面建一个python GUI的快捷方式" 这个问题
- PCI、PCI-x,PCI-E兼容以及他们之间的区别详细图解
- ERROR OGG-01031
- Fragment放置后台很久(Home键退出很长时间),返回时出现Fragment重叠解决方案
- 一、buildroot-2014.08编译根文件系统(nfs挂载)
- 博客代码美化(SyntaxHighlighter)
- 上海第五次Spark meetup会议资料分享
- 关于javax.servlet不存在的问题
- 解读Tomcat和负载均衡的意思
- 数值分析--矩阵QR分解的三种方法
- #define和const的简单区别
- PAT (Basic Level) Practise:1028. 人口普查
- 上海第五次Spark meetup会议资料分享