grok 正则解析日志例子<1>

时间:2021-07-28 17:04:31
<pre name="code" class="html">下面是日志的样子

55.3.244.1 GET /index.html 15824 0.043

正则的例子

%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}

配置文件里是怎么写得? 

input {

  file {

    path => “/var/log/http.log”

  }

}

filter {

  grok {

    match => [ "message", "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" ]

  }

}

解析后,是个什么样子? 

client: 55.3.244.1

method: GET

request: /index.html

bytes: 15824

duration: 0.043

/*********1

zjtest7-frontend:/usr/local/logstash-2.3.4/config# cat log01.conf

input {

  file {

    path => "/var/log/http.log"

  }

}

output {

 stdout {

  codec=>rubydebug{}

   }

 }

此时的输出

Pipeline main started

{

       "message" => "55.3.244.1 GET /index.html 15824 0.043",

      "@version" => "1",

    "@timestamp" => "2016-08-27T15:03:23.554Z",

          "path" => "/var/log/http.log",

          "host" => "0.0.0.0"

}

/***换成json呢?

zjtest7-frontend:/usr/local/logstash-2.3.4/config# ../bin/logstash -f log01.conf

Settings: Default pipeline workers: 1

Pipeline main started

{"message":"55.3.244.1 GET /index.html 15824 0.043","@version":"1","@timestamp":"2016-08-27T15:05:07.945Z","path":"/var/log/http.log","host":"0.0.0.0"}

/***分别发送到elasticsearch看下:

zjtest7-frontend:/usr/local/logstash-2.3.4/config# cat log01.conf

input {

  file {

    path => "/var/log/http.log"

  }

}

output {

      elasticsearch {

                hosts => "192.168.32.80:9200"

                index => "logstash-zjzc-test"

        }

		stdout {

			codec => rubydebug

		}

        }

输出:

Settings: Default pipeline workers: 1

Pipeline main started

{

       "message" => "55.3.244.1 GET /index.html 15824 0.043",

      "@version" => "1",

    "@timestamp" => "2016-08-27T15:08:00.336Z",

          "path" => "/var/log/http.log",

          "host" => "0.0.0.0"

}

elasticsearch:

{

    "_index": "logstash-zjzc-test",

    "_type": "logs",

    "_id": "AVbMiuMLEY-onx06xWo-",

    "_version": 1,

    "_score": 1,

    "_source": {

        "message": "55.3.244.1 GET /index.html 15824 0.043",

        "@version": "1",

        "@timestamp": "2016-08-27T15:08:00.336Z",

        "path": "/var/log/http.log",

        "host": "0.0.0.0"

    }

}

/*******使用grok 正则解析日志

zjtest7-frontend:/usr/local/logstash-2.3.4/config# cat log01.conf

input {

  file {

    path => "/var/log/http.log"

  }

}

filter {

  grok {

    match => [ "message", "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" ]

  }

}

output {

      elasticsearch {

                hosts => "192.168.32.80:9200"

                index => "logstash-zjzc-test"

        }

		stdout {

			codec => rubydebug

		}

        }

输出:

zjtest7-frontend:/usr/local/logstash-2.3.4/config# ../bin/logstash -f log01.conf

Settings: Default pipeline workers: 1

Pipeline main started

{

       "message" => "55.3.244.1 GET /index.html 15824 0.043",

      "@version" => "1",

    "@timestamp" => "2016-08-27T15:09:59.173Z",

          "path" => "/var/log/http.log",

          "host" => "0.0.0.0",

        "client" => "55.3.244.1",

        "method" => "GET",

       "request" => "/index.html",

         "bytes" => "15824",

      "duration" => "0.043"

}

elasticsearch:

{

    "_index": "logstash-zjzc-test",

    "_type": "logs",

    "_id": "AVbMjLJeEY-onx06xWpC",

    "_version": 1,

    "_score": 1,

    "_source": {

        "message": "55.3.244.1 GET /index.html 15824 0.043",

        "@version": "1",

        "@timestamp": "2016-08-27T15:09:59.173Z",

        "path": "/var/log/http.log",

        "host": "0.0.0.0",

        "client": "55.3.244.1",

        "method": "GET",

        "request": "/index.html",

        "bytes": "15824",

        "duration": "0.043"

    }

}

grok 正则解析日志例子<1>

相关文章