• logstash 防止实际处理时间跟事件产生时间略有偏差


                     "message" => " 10.168.255.134 [12/Sep/2016:16:30:40 +0800] "GET /resources/plugins/artDialog/dialog-min.js?v=1&_=1473669040515 HTTP/1.1" - 200 9946 "https://wenjinbao.winfae.com/forgetPassword.html" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36" 0.001 115.234.183.214",
                    "@version" => "1",
                  "@timestamp" => "2016-09-12T08:31:06.630Z",
                        "path" => "/data01/applog_backup/winfae_log/wj-frontend01-access.2016-09-12",
                        "host" => "dr-mysql01.zjcap.com",
                        "type" => "wj_frontend_access",
                    "clientip" => "10.168.255.134",
                        "time" => "12/Sep/2016:16:30:40 +0800",
    
    
    filter {
        grok {
            match =>[ 
                 "message","%{IPORHOST:clientip} [%{HTTPDATE:time}] "%{WORD:verb} %{URIPATHPARAM:request}?.* HTTP/%{NUMBER:httpversion}" - %{NUMBER:http_status_code} %{NUMBER:bytes} "(?<http_referer>S+)" "(?<http_user_agent>(S+s+)*S+)" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)", 
                 "message" , "%{IPORHOST:clientip} [%{HTTPDATE:time}] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" - %{NUMBER:http_status_code} %{NUMBER:bytes} "(?<http_referer>S+)" "(?<http_user_agent>(S+s+)*S+)" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)"
                 
            ]
        }   
            geoip {
                            source => "http_x_forwarded_for"
                            target => "geoip"
                            database => "/usr/local/logstash-2.3.4/etc/GeoLiteCity.dat"
                            add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
                            add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
                    }
                    mutate {
                            convert => [ "[geoip][coordinates]", "float"]
                            convert => [ "request_time", "float"]
                           add_field =>["response_time","%{request_time}"]
                            convert => [ "response_time", "float"]
                            remove_field =>["request_time"]
                            
                    }
                  date {
            match => ["time", "dd/MMM/yyyy:HH:mm:ss Z"]
        }
         
    }
    
    
                     "message" => " 10.171.246.184 [12/Sep/2016:22:26:47 +0800] "GET /resources/images/icon/icon_stock.6fe20e7d.png HTTP/1.1" - 200 20528 "https://www.zjcap.cn/resources/css/index.css?06212016" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36" 0.001 122.235.174.156",
                    "@version" => "1",
                  "@timestamp" => "2016-09-12T14:26:47.000Z",
                        "path" => "/data01/applog_backup/zjzc_log/zj-frontend01-access.2016-09-12",
                        "host" => "dr-mysql01.zjcap.com",
                        "type" => "zj_frontend_access",
                    "clientip" => "10.171.246.184",
                        "time" => "12/Sep/2016:22:26:47 +0800",
    
    实时数据处理的时候同样有效,因为一般情况下数据流程中我们都会有缓冲区,导致最终的实际处理时间跟事件产生时间略有偏差。

  • 相关阅读:
    一个简单的瀑布流效果
    C#遇到的一些奇怪问题
    能够按页号提取word文档文本内容的小程序,由C#实现
    设计模式学习之简单工场模式
    设计模式学习之策略模式
    检查机器是否安装了.NET Framework 或已经安装了哪些.net版本
    书籍清单
    使用Func<T>对对象进行排序
    定义一个委托的三种形式
    设计模式学习之设计原则
  • 原文地址:https://www.cnblogs.com/zhaoyangjian724/p/6199217.html
Copyright © 2020-2023  润新知