Logstash配置文档
# vim useTime.conf
input {
stdin{}
}
filter {
grok {
match => {
"message" =>"\s+(?<API>调用.*(用时|异常)).*useTime=(?<useTime>\d+?)$"
}
}
}
output {
stdout{
codec => rubydebug
}
}
过滤正则表达示
\s+ (?<api>called.*(Elapsed Time|Exception)) -calledGZ (Bank of Guangzhou)Elapsed Time
useTime=(?<useTime>\d+?)$ --> useTime=251
测试的日志:
[07/2900:01:17 "[INFO] [[ B10005-15]] Impl. gzclientserviceimpl.exec:234- call gz ( Guangzhou bank ,url=http:// 172.31.8.122:7040/corbankexpress/httpaccess,usetime=251
[07/2900:01:17] [INFO] [[B10005-15]] impl.GzClientServiceImpl.exec:234 - 调用gz(广州银行)异常,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=2510
测试结果:
[[email protected]~]# /opt/logstash-2.3.4/bin/logstash -f useTime.conf
Settings:Default pipeline workers: 1
Pipeline mainstarted
[07/2900:01:17] [INFO] [[B10005-15]] impl.GzClientServiceImpl.exec:234 - 调用gz(广州银行)用时,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=251
{
"message" => "[07/2900:01:17] [INFO] [[B10005-15]] impl.GzClientServiceImpl.exec:234 - 调用gz(广州银行)用时,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=251",
"@version" => "1",
"@timestamp" =>"2016-07-30T15:09:21.376Z",
"host" =>"0.0.0.0",
"API" => "调用gz(广州银行)用时",
"useTime" =>"251"
}
[07/2900:01:17] [INFO] [[B10005-15]] impl.GzClientServiceImpl.exec:234 - 调用gz(广州银行)异常,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=2510
{
"message" => "[07/2900:01:17] [INFO] [[B10005-15]] impl.GzClientServiceImpl.exec:234 - 调用gz(广州银行)异常,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=2510",
"@version" => "1",
"@timestamp" =>"2016-07-30T15:09:28.885Z",
"host" =>"0.0.0.0",
"API" => "调用gz(广州银行)异常",
"useTime" =>"2510"
}
^CSIGINTreceived. Shutting down the agent. {:level=>:warn}
stoppingpipeline {:id=>"main"}
over!!
This article is from the "Cexpert" blog, make sure to keep this source http://cexpert.blog.51cto.com/5251990/1832216
Logstash filter Plug-in Grok simple test