<pre name="code" class="html">下面是日志的样子
55.3.244.1 GET /index.html 15824 0.043
正则的例子
%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}
配置文件里是怎么写得?
input {
file {
path => “/var/log/http.log”
}
}
filter {
grok {
match => [ "message", "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" ]
}
}
解析后,是个什么样子?
client: 55.3.244.1
method: GET
request: /index.html
bytes: 15824
duration: 0.043
/*********1
zjtest7-frontend:/usr/local/logstash-2.3.4/config# cat log01.conf
input {
file {
path => "/var/log/http.log"
}
}
output {
stdout {
codec=>rubydebug{}
}
}
此时的输出
Pipeline main started
{
"message" => "55.3.244.1 GET /index.html 15824 0.043",
"@version" => "1",
"@timestamp" => "2016-08-27T15:03:23.554Z",
"path" => "/var/log/http.log",
"host" => "0.0.0.0"
}
/***换成json呢?
zjtest7-frontend:/usr/local/logstash-2.3.4/config# ../bin/logstash -f log01.conf
Settings: Default pipeline workers: 1
Pipeline main started
{"message":"55.3.244.1 GET /index.html 15824 0.043","@version":"1","@timestamp":"2016-08-27T15:05:07.945Z","path":"/var/log/http.log","host":"0.0.0.0"}
/***分别发送到elasticsearch看下:
zjtest7-frontend:/usr/local/logstash-2.3.4/config# cat log01.conf
input {
file {
path => "/var/log/http.log"
}
}
output {
elasticsearch {
hosts => "192.168.32.80:9200"
index => "logstash-zjzc-test"
}
stdout {
codec => rubydebug
}
}
输出:
Settings: Default pipeline workers: 1
Pipeline main started
{
"message" => "55.3.244.1 GET /index.html 15824 0.043",
"@version" => "1",
"@timestamp" => "2016-08-27T15:08:00.336Z",
"path" => "/var/log/http.log",
"host" => "0.0.0.0"
}
elasticsearch:
{
"_index": "logstash-zjzc-test",
"_type": "logs",
"_id": "AVbMiuMLEY-onx06xWo-",
"_version": 1,
"_score": 1,
"_source": {
"message": "55.3.244.1 GET /index.html 15824 0.043",
"@version": "1",
"@timestamp": "2016-08-27T15:08:00.336Z",
"path": "/var/log/http.log",
"host": "0.0.0.0"
}
}
/*******使用grok 正则解析日志
zjtest7-frontend:/usr/local/logstash-2.3.4/config# cat log01.conf
input {
file {
path => "/var/log/http.log"
}
}
filter {
grok {
match => [ "message", "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" ]
}
}
output {
elasticsearch {
hosts => "192.168.32.80:9200"
index => "logstash-zjzc-test"
}
stdout {
codec => rubydebug
}
}
输出:
zjtest7-frontend:/usr/local/logstash-2.3.4/config# ../bin/logstash -f log01.conf
Settings: Default pipeline workers: 1
Pipeline main started
{
"message" => "55.3.244.1 GET /index.html 15824 0.043",
"@version" => "1",
"@timestamp" => "2016-08-27T15:09:59.173Z",
"path" => "/var/log/http.log",
"host" => "0.0.0.0",
"client" => "55.3.244.1",
"method" => "GET",
"request" => "/index.html",
"bytes" => "15824",
"duration" => "0.043"
}
elasticsearch:
{
"_index": "logstash-zjzc-test",
"_type": "logs",
"_id": "AVbMjLJeEY-onx06xWpC",
"_version": 1,
"_score": 1,
"_source": {
"message": "55.3.244.1 GET /index.html 15824 0.043",
"@version": "1",
"@timestamp": "2016-08-27T15:09:59.173Z",
"path": "/var/log/http.log",
"host": "0.0.0.0",
"client": "55.3.244.1",
"method": "GET",
"request": "/index.html",
"bytes": "15824",
"duration": "0.043"
}
}
