这是随便写的一个便于自己记住关于自定义正则的文章
日志格式 [GIN] 2020/03/23 - 00:02:55 | 404 | 1.932204ms | 86.14.67.203 | GET /api/retail/product
input {
stdin { }
beats {
add_field => {"myid"=>"nginx"}
port => 5043
}
syslog {
port => 514
type => "system-syslog"
}
}
filter {
grok {
######################################################################
# DEFINEGIN \[GIN\]
#
# DEFINESTATUS \d{3}
#
# DEFINEDATETIME \d{4}/\d{2}/\d{2} - \d{2}:\d{2}:\d{2}
#
# DEFINEDATE \d{4}/\d{2}/\d{2}
#
# DEFINETIME \d{2}:\d{2}:\d{2}
#
# DEFINERESPONSE_TIME .*?
#
# DEFINEIP \d+\.\d+\.\d+\.\d+
#
# DEFINEURI .*
##################################################################### 这个就是patterns目录中的extra文件中自定义的正则
patterns_dir => ["./patterns"] # 自定义的正则表达式的目录 SPACE这个正则是grok提供的
match => {"message" => "%{DEFINEGIN:gin}%{SPACE}%{DEFINEDATETIME:datetime}%{SPACE}\|%{SPACE}%{DEFINESTATUS:status}%{SPACE}\|%{SPACE}%{DEFINERESPONSE_TIME:resp_time}\|%{SPACE}%{DEFINEIP:clientip}%{SPACE}\|%{SPACE}%{WORD:method}%{SPACE}%{DEFINEURI:uri}"}
}
geoip {
source => "clientip"
target => "geoip"
}
date {
match => ["datetime", "yyyy/MM/dd - HH:mm:ss", "ISO8601"] # 按datetime后面这样的时间格式解析 然后默认赋值给@timestamp
}
mutate {
remove_field => ["message", "tags", "ident", "auth", "@version", "beat", "input_type", "type", "source", "offset"]
}
}
output {
elasticsearch {
hosts => ["http://192.168.137.200:9200"]
index => "nohup-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}
网友评论