Logstash日志字段拆分grok

参考和测试网站:http://grokdebug.herokuapp.com

例如:test-39.dev.abc-inc.com Mon Apr 24 13:53:58 CST 2017 2017-04-16 23:37:44,282 [DEBUG] add service:com.abc.open.nlp.facade.NLPService

正则表达式过滤为:%{HOSTNAME:hostabc} %{DAY:zhouji} %{WORD:month} %{MONTHDAY:jihao} %{TIME:shijian} %{TZ:biaozhun} %{YEAR:nian} %{TIMESTAMP_ISO8601:shijianquan} \[%{WORD:zhonglei}\] %{WORD:caozuo} %{NOTSPACE:info}

过滤结果为:

{
  "hostabc": [
    [
      "test-39.dev.abc-inc.com"
    ]
  ],
  "zhouji": [
    [
      "Mon"
    ]
  ],
  "month": [
    [
      "Apr"
    ]
  ],
  "jihao": [
    [
      "24"
    ]
  ],
  "shijian": [
    [
      "13:53:58"
    ]
  ],
  "HOUR": [
    [
      "13",
      "23",
      null
    ]
  ],
  "MINUTE": [
    [
      "53",
      "37",
      null
    ]
  ],
  "SECOND": [
    [
      "58",
      "44,282"
    ]
  ],
  "biaozhun": [
    [
      "CST"
    ]
  ],
  "nian": [
    [
      "2017"
    ]
  ],
  "shijianquan": [
    [
      "2017-04-16 23:37:44,282"
    ]
  ],
  "YEAR": [
    [
      "2017"
    ]
  ],
  "MONTHNUM": [
    [
      "04"
    ]
  ],
  "MONTHDAY": [
    [
      "16"
    ]
  ],
  "ISO8601_TIMEZONE": [
    [
      null
    ]
  ],
  "zhonglei": [
    [
      "DEBUG"
    ]
  ],
  "caozuo": [
    [
      "add"
    ]
  ],
  "info": [
    [
      "service:com.abc.open.nlp.facade.NLPService"
    ]
  ]
}

正则表达式参考:http://grokdebug.herokuapp.com/patterns#

Logstash最佳实践参考链接:http://udn.yyuap.com/doc/logstash-best-practice-cn/get_start/index.html

OVER

你可能感兴趣的:(Logstash日志字段拆分grok)