[elk@dr-mysql01 frontend]$ ../../bin/logstash -f std02.conf
Settings: Default pipeline workers: 8
Pipeline main started
31`31`
ArgumentError: comparison of String with 5 failed
>= at org/jruby/RubyComparable.java:155
>= at org/jruby/RubyString.java:1853
output_func at (eval):138
output_batch at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:293
each at org/jruby/RubyArray.java:1613
inject at org/jruby/RubyEnumerable.java:852
output_batch at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:287
worker_loop at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:232
start_workers at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:201
[elk@dr-mysql01 frontend]$ ../../bin/logstash -f std02.conf
Settings: Default pipeline workers: 8
Pipeline main started
ddsad
ArgumentError: comparison of String with 5 failed
>= at org/jruby/RubyComparable.java:155
>= at org/jruby/RubyString.java:1853
output_func at (eval):138
output_batch at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:293
each at org/jruby/RubyArray.java:1613
inject at org/jruby/RubyEnumerable.java:852
output_batch at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:287
worker_loop at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:232
start_workers at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:201
[elk@dr-mysql01 frontend]$ ^C
[elk@dr-mysql01 frontend]$ vim std02.conf
[elk@dr-mysql01 frontend]$ vim std02.conf
[elk@dr-mysql01 frontend]$ cat std02.conf
input {
stdin {
type => "zj_scan"
}
}
filter {
grok {
match =>[
"message","%{IPORHOST:clientip} [%{HTTPDATE:time}] "%{WORD:verb} %{URIPATHPARAM:request}?.* HTTP/%{NUMBER:httpversion}" - %{NUMBER:http_status_code} %{NUMBER:bytes} "(?<http_referer>S+)" "(?<http_user_agent>(S+s+)*S+)" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)",
"message" , "%{IPORHOST:clientip} [%{HTTPDATE:time}] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" - %{NUMBER:http_status_code} %{NUMBER:bytes} "(?<http_referer>S+)" "(?<http_user_agent>(S+s+)*S+)" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)",
"message","%{IPORHOST:clientip} [%{HTTPDATE:time}] "%{WORD:verb} (?<http_url>S+)s+HTTP/%{NUMBER:httpversion}"s+-s+%{NUMBER:http_status_code}s+%{NUMBER:bytes}s+"-"s+"(?<http_user_agent>(S+))"s+(%{BASE16FLOAT:request_time})s+(%{IPORHOST:http_x_forwarded_for}|-)"
]
}
geoip {
source => "http_x_forwarded_for"
target => "geoip"
database => "/usr/local/logstash-2.3.4/etc/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
convert => [ "request_time", "float"]
add_field =>["response_time","%{request_time}"]
convert => [ "response_time", "float"]
add_field => [ "[@metadata][zabbix_key]" , "logstash-api-access" ]
add_field => [ "[@metadata][zabbix_host]" , "dr-mysql01" ]
add_field =>["messager","%{type}%{message}"]
remove_field =>["request_time"]
remove_field =>["message"]
}
date {
match => ["time", "dd/MMM/yyyy:HH:mm:ss Z"]
}
}
output {
stdout {
codec => rubydebug
}
# if [response_time] >= 5 {
# zabbix {
# zabbix_host => "[@metadata][zabbix_host]"
# zabbix_key => "[@metadata][zabbix_key]"
# zabbix_server_host => "192.168.32.55"
# zabbix_server_port => "10051"
# zabbix_value => "messager"
# }
# }
}
[elk@dr-mysql01 frontend]$ ../../bin/logstash -f std02.conf
Settings: Default pipeline workers: 8
Pipeline main started
121
{
"@version" => "1",
"@timestamp" => "2016-09-27T05:40:46.547Z",
"type" => "zj_scan",
"host" => "dr-mysql01.zjcap.com",
"tags" => [
[0] "_grokparsefailure"
],
"response_time" => "%{request_time}",
"messager" => "zj_scan121"
}
加载zabbix 插件后,只要匹配不上 logstash就会挂掉,不会打印匹配不上的记录