2016-09-20 45 views
-1

我想弄清楚下面日誌文件的grok模式。它包含1行成功日誌和1條警告日誌。如何爲此日誌文件編寫grok

2016-09-03T12:53:31-04:00 DEV SampleFileService INFO 512132:414618:SampleFileService-2-FTS EXECUTING: Error Handling Client Request started 

2016-09-03T12:53:31-04:00 DEV SampleFileService WARNING 512133:414618:SampleFileService-2-FTS ERROR: Error while sending ErrorHandler request to IEHS Queue: test.queue.publish 
Retry count 1 of 3, 
Error: 
<ns0:ErrorReport xmlns:ns0="http://www.tibco.com/pe/EngineTypes"> 
    <StackTrace>Job-414618 Error in [Process-Path!!] 
There was an unexpected error while sending a message. 
    at com.tibco.plugin.share.jms.impl.JMSSender.send(Unknown Source) 
    at com.tibco.plugin.share.jms.impl.JMSSender.send(Unknown Source) 
    at com.tibco.plugin.jms.JMSAbstractTransmitActivity.eval(Unknown Source) 
    at com.tibco.pe.plugin.Activity.eval(Unknown Source) 
    at com.tibco.pe.core.TaskImpl.eval(Unknown Source) 
    at com.tibco.pe.core.Job.a(Unknown Source) 
    at com.tibco.pe.core.Job.k(Unknown Source) 
    at com.tibco.pe.core.JobDispatcher$JobCourier.a(Unknown Source) 
    at com.tibco.pe.core.JobDispatcher$JobCourier.run(Unknown Source) 
caused by: com.tibco.plugin.share.jms.impl.JMSExceptionWrapper: javax.jms.JMSException: Failure storing message 
    at com.tibco.plugin.share.jms.impl.JMSPluginException.&lt;init&gt;(Unknown Source) 
    at com.tibco.plugin.share.jms.impl.JMSSender.send(Unknown Source) 
    at com.tibco.plugin.share.jms.impl.JMSSender.send(Unknown Source) 
    at com.tibco.plugin.jms.JMSAbstractTransmitActivity.eval(Unknown Source) 
    at com.tibco.pe.plugin.Activity.eval(Unknown Source) 
    at com.tibco.pe.core.TaskImpl.eval(Unknown Source) 
    at com.tibco.pe.core.Job.a(Unknown Source) 
    at com.tibco.pe.core.Job.k(Unknown Source) 
    at com.tibco.pe.core.JobDispatcher$JobCourier.a(Unknown Source) 
    at com.tibco.pe.core.JobDispatcher$JobCourier.run(Unknown Source) 
Caused by: javax.jms.JMSException: Failure storing message 
    at com.tibco.tibjms.Tibjmsx.buildException(Tibjmsx.java:612) 
    at com.tibco.tibjms.TibjmsxSessionImp._publish(TibjmsxSessionImp.java:1544) 
    at com.tibco.tibjms.TibjmsMessageProducer._publish(TibjmsMessageProducer.java:246) 
    at com.tibco.tibjms.TibjmsQueueSender.send(TibjmsQueueSender.java:74) 
    ... 9 more 
</StackTrace> 
    <Msg>There was an unexpected error while sending a message.</Msg> 
    <FullClass>com.tibco.plugin.share.jms.impl.JMSPluginException</FullClass> 
    <Class>JMSPluginException</Class> 
    <ProcessStack>Stack-Path!!</ProcessStack> 
    <MsgCode>BW-JMS-100039</MsgCode> 
</ns0:ErrorReport> 
+0

你說明你想從你的日誌中提取什麼?因爲如果沒有要檢索的信息,grok過濾器就沒用了。 – baudsp

+0

也可以幫助你:[grok filter tester](http://grokconstructor.appspot.com/do/match#result),[grok filter documentation](https://www.elastic.co/guide/en/logstash /current/plugins-filters-grok.html)和[Grok模式](https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns)。 – baudsp

+0

考慮到第一行,應該是 timestamp - > 2016-09-03T12:53:31-04:00, Env - > Dev,Application - > SampleFileService, Level - > Info, Thread - > 512132: 414618:SampleFileService-2-FTS, 狀態 - > EXECUTING, 消息 - >(消息的提醒) 第二行有更多信息記錄在字段'Message'中。 –

回答

2

你必須使用多filter/codec您的輸入,因此所有的消息組合在一起。兩種情況下的配置都是相同的:

multiline { 
    pattern => "%{TIMESTAMP_ISO8601}" 
    negate => "true" 
    what => "previous" 
} 

這將把不以ISO 8601日期開頭的行與前一行分組。所以,在你的第二條消息的情況下,所有的行將會在一起。

然後你就可以使用這個神交模式:

grok { 
    match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:env}%{SPACE}%{WORD:application}%{SPACE}%{WORD:level}%{SPACE}%{NOTSPACE:thread}%{SPACE}%{WORD:status}:%{SPACE}%{GREEDYDATA:message}" } 
} 
+0

我嘗試過幾種組合,作爲新手,模式語法是有點混淆..我試圖分析的日誌有一些製表符分隔符(它粘貼後在這裏變成一個'空間'......沒關係:))。此外,我無法將字符串'512132:414618:SampleFileService-2-FTS'組合成一個單詞。它也正在分裂。雖然我提到https://github.com/hpcugent/logstash-patterns/blob/master/files/grok-patterns我不知道在上面的日誌消息中應用的位置。但是感謝您的幫助,在沒有角度你是愚蠢的...會說救世主。謝謝.. –

+0

不客氣。它有用嗎?如果它沒有/沒有給出預期的結果,請不要猶豫地爲你的問題添加信息 – baudsp