Logstash過濾插件grok簡單測試

Logstash配置文檔

# vim useTime.conf

input {

    stdin{}

}

filter {

    grok {

        match => {

            "message" => "\s+(?<API>調用.*(用時|異常)).*useTime=(?<useTime>\d+?)$"

        }

    }

}

output {

    stdout{

        codec => rubydebug

    }

}

過濾正則表達示

\s+(?<API>調用.*(用時|異常))  -->  調用gz(廣州銀行)用時

useTime=(?<useTime>\d+?)$  --> useTime=251

 

測試的日誌：

[07/29 00:01:17] [INFO] `B10005-15` impl.GzClientServiceImpl.exec:234 - 調用gz(廣州銀行)用時,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=251

[07/29 00:01:17] [INFO] `B10005-15` impl.GzClientServiceImpl.exec:234 - 調用gz(廣州銀行)異常,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=2510

 

測試結果：

[root@test ~]# /opt/logstash-2.3.4/bin/logstash -f useTime.conf

Settings: Default pipeline workers: 1

Pipeline main started

[07/29 00:01:17] [INFO] `B10005-15` impl.GzClientServiceImpl.exec:234 - 調用gz(廣州銀行)用時,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=251

{

       "message" => "[07/29 00:01:17] [INFO] `B10005-15` impl.GzClientServiceImpl.exec:234 - 調用gz(廣州銀行)用時,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=251",

      "@version" => "1",

    "@timestamp" => "2016-07-30T15:09:21.376Z",

          "host" => "0.0.0.0",

           "API" => "調用gz(廣州銀行)用時",

       "useTime" => "251"

}

[07/29 00:01:17] [INFO] `B10005-15` impl.GzClientServiceImpl.exec:234 - 調用gz(廣州銀行)異常,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=2510

{

       "message" => "[07/29 00:01:17] [INFO] `B10005-15` impl.GzClientServiceImpl.exec:234 - 調用gz(廣州銀行)異常,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=2510",

      "@version" => "1",

    "@timestamp" => "2016-07-30T15:09:28.885Z",

          "host" => "0.0.0.0",

           "API" => "調用gz(廣州銀行)異常",

       "useTime" => "2510"

}

^CSIGINT received. Shutting down the agent. {:level=>:warn}

stopping pipeline {:id=>"main"}

Over！！