1
我使用bunyan的koajs將錯誤日誌保存到我的服務器,然後使用filebeat將它們發送到我的logstash應用程序。Grok匹配json字段和值
我的錯誤日誌正在正確轉發,但現在我想創建一個過濾器,它將添加一個標記到特定的日誌。
{"name":"myapp","hostname":"sensu-node-dev","pid":227,"level":50,"err":{"message":"Cannot find module 'lol'","name":"Error","stack":"Error: Cannot find module 'lol'\n at Function.Module._resolveFilename (module.js:339:15)\n at Function.Module._load (module.js:290:25)\n at Module.require (module.js:367:17)\n at require (internal/module.js:16:19)\n at Object.<anonymous> (/srv/www/dev.site/app.js:27:6)\n at next (native)\n at Object.<anonymous> (/srv/www/dev.site/node_modules/koa-compose/index.js:29:5)\n at next (native)\n at onFulfilled (/srv/www/dev.site/node_modules/co/index.js:65:19)\n at /srv/www/dev.site/node_modules/co/index.js:54:5","code":"MODULE_NOT_FOUND"},"msg":"Cannot find module 'lol'","time":"2016-02-24T22:04:26.492Z","v":0}
現在在特定日誌中有趣的部分是"err":{...}和"name":"Error"位。爲了簡單起見,我只想創建一個過濾器,在日誌中檢測"name":"Error"(如果存在),然後將標記add_tag => ["error"]應用於日誌。
這裏是我的/etc/logstash/conf.d/logstash.conf文件:
input {
beats {
port => 5044
type => "logs"
}
}
filter {
grok {
type => "log"
pattern => "???" // <--- have no idea what to do here
add_tag => ["error"]
}
}
output {
elasticsearch {
hosts => "localhost:9200"
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
http {
http_method => "post"
url => "<MY_URL>"
format => "message"
message => "{"text":"dis is workinz, you has error"}"
tags => ["error"]
}
}
我試過如下:
pattern => ""name":"Error""
但得到了以下錯誤:
Error: Expected one of #, {, } at line 9, column 31 (byte 107) after filter {
grok {
match => { "message" => ""
You may be interested in the '--configtest' flag which you can
use to validate logstash's configuration before you choose
to restart a running system.
有這個具體的沒有一個簡單的例子任何地方的匹配類型。
獎勵:又如何在logstash中逃脫,我找不到任何關於這個問題?