logstash grok正则调试
logstash 正则调试;
nginx 配置;
log_format main '$remote_addr [$time_local] "$request" '; logstash:
"message" =>"%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\"" 输出: {
"message" => " 121.40.205.143 [29/Aug/2016:12:36:32 +0800] \"GET /favicon.ico HTTP/1.1\" - 404 2319 \"-\" \"Mozilla/5.0 (Linux; Android 5.1.1; vivo X6S A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile MQQBrowser/6.2 TBS/036558 Safari/537.36 MicroMessenger/6.3.25.861 NetType/WIFI Language/zh_CN\" 0.000 -",
"@version" => "1",
"@timestamp" => "2016-08-29T04:39:16.608Z",
"path" => "/rsyslog/data/nginx/uat/nginx_access01_log.2016-08-29",
"host" => "0.0.0.0",
"type" => "uat_nginx_access",
"clientip" => "121.40.205.143",
"time" => "29/Aug/2016:12:36:32 +0800",
"verb" => "GET",
"request" => "/favicon.ico",
"httpversion" => "1.1"
} 此时grok 能正常匹配: "message" => "%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\"
%{NUMBER:http_status_code} %{NUMBER:bytes} \"(?<http_referer>\S+)\" \"(?<http_user_agent>\S+)\" \"(?<http_x_forwarded_for>\S+)\"" log_format main '$http_host $server_addr $remote_addr [$time_local] "$request" '
'$request_body $status $body_bytes_sent "$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time'; 继续加;
log_format main '$remote_addr [$time_local] "$request"'
'$status $body_bytes_sent'; 日志格式:
121.40.205.143 [29/Aug/2016:12:51:18 +0800] "GET /resources/plugins/artDialog/ui-dialog.css HTTP/1.1"304 0
121.40.205.143 [29/Aug/2016:12:51:18 +0800] "GET /wechat/images/account/icons.7a340e21.png HTTP/1.1"304 0
121.40.205.143 [29/Aug/2016:12:51:18 +0800] "GET /wechat/images/nav-icon.44c2022c.png?v=1 HTTP/1.1"304 0
121.40.205.143 [29/Aug/2016:12:51:19 +0800] "GET /favicon.ico HTTP/1.1"404 2319
121.40.205.143 [29/Aug/2016:12:51:19 +0800] "GET /favicon.ico HTTP/1.1"404 2319
121.40.205.143 [29/Aug/2016:12:52:25 +0800] "GET /favicon.ico HTTP/1.1"404 2319
121.40.205.143 [29/Aug/2016:12:52:25 +0800] "GET /favicon.ico HTTP/1.1"404 2319
121.40.205.143 [29/Aug/2016:12:53:28 +0800] "GET /favicon.ico HTTP/1.1"404 2319 filter {
grok {
match=> {
"message" =>"%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\"%{NUMBER:http_status_code} %{NUMBER:bytes}" } logstash 输出:
Pipeline main started
{
"message" => " 121.40.205.143 [29/Aug/2016:12:56:10 +0800] \"GET /favicon.ico HTTP/1.1\"404 2319",
"@version" => "1",
"@timestamp" => "2016-08-29T04:58:54.908Z",
"path" => "/rsyslog/data/nginx/uat/nginx_access01_log.2016-08-29",
"host" => "0.0.0.0",
"type" => "uat_nginx_access",
"clientip" => "121.40.205.143",
"time" => "29/Aug/2016:12:56:10 +0800",
"verb" => "GET",
"request" => "/favicon.ico",
"httpversion" => "1.1",
"http_status_code" => "404",
"bytes" => "2319"
} 继续; 121.40.205.143 [29/Aug/2016:13:00:16 +0800] "GET /favicon.ico HTTP/1.1"404 2319 "-"
121.40.205.143 [29/Aug/2016:13:00:22 +0800] "GET /favicon.ico HTTP/1.1"404 2319 "-"
121.40.205.143 [29/Aug/2016:13:00:30 +0800] "GET /favicon.ico HTTP/1.1"404 2319 "-"
121.40.205.143 [29/Aug/2016:13:00:32 +0800] "GET /wechat/login.html HTTP/1.1"304 0 "https://uatest.winfae.com/wechat/account.html"
121.40.205.143 [29/Aug/2016:13:00:32 +0800] "GET /wechat/images/login/icon_01.6e839367.png HTTP/1.1"304 0 "https://uatest.winfae.com/wechat/css/wechat.2a00a782.css"
121.40.205.143 [29/Aug/2016:13:00:32 +0800] "GET /wechat/images/login/icon_02.5065faba.png HTTP/1.1"304 0 "https://uatest.winfae.com/wechat/css/wechat.2a00a782.css"
121.40.205.143 [29/Aug/2016:13:00:32 +0800] "GET /resources/plugins/jquery/jquery.md5.js?v=1 HTTP/1.1"304 0 "https://uatest.winfae.com/wechat/login.html"
121.40.205.143 [29/Aug/2016:13:00:32 +0800] "GET /wechat/js/libs/dialog-min.88247f5e.js?v=1 HTTP/1.1"304 0 "https://uatest.winfae.com/wechat/login.html"
121.40.205.143 [29/Aug/2016:13:00:32 +0800] "GET /wechat/js/login.a87fbd64.js HTTP/1.1"304 0 "https://uatest.winfae.com/wechat/login.html" {
"message" => " 121.40.205.143 [29/Aug/2016:13:05:24 +0800] \"GET /wechat/account_balance.html HTTP/1.1\"200 3059 \"https://uatest.winfae.com/wechat/account.html\"
\"Mozilla/5.0 (Linux; Android 5.1.1; vivo X6S A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile MQQBrowser/6.2 TBS/036558 Safari/537.36 MicroMessenger/6.3.25.861 NetType/WIFI Language/zh_CN\"", 121.40.205.143 [29/Aug/2016:13:05:24 +0800] "GET /wechat/account_balance.html HTTP/1.1"200 3059 "https://uatest.winfae.com/wechat/account.html" "Mozilla/5.0 (Linux; Android 5.1.1; vivo X6S A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile MQQBrowser/6.2 TBS/036558 Safari/537.36 MicroMessenger/6.3.25.861 NetType/WIFI Language/zh_CN"
121.40.205.143 [29/Aug/2016:13:05:45 +0800] "GET /wechat/home.html?useragent=android_h5_zjcap&apiver=2 HTTP/1.1"200 11601 "-" "okhttp/2.6.0" {
"message" => " 121.40.205.143 [29/Aug/2016:13:13:11 +0800] \"GET /wechat/js/regain.431efde9.js HTTP/1.1\"304 0 \"https://uatest.winfae.com/wechat/regain.html\" \"Mozilla/5.0 (Linux; Android 5.1.1; vivo X6S A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile MQQBrowser/6.2 TBS/036558 Safari/537.36 MicroMessenger/6.3.25.861 NetType/WIFI Language/zh_CN\"",
"@version" => "1",
"@timestamp" => "2016-08-29T05:15:55.609Z",
"path" => "/rsyslog/data/nginx/uat/nginx_access01_log.2016-08-29",
"host" => "0.0.0.0",
"type" => "uat_nginx_access",
"clientip" => "121.40.205.143",
"time" => "29/Aug/2016:13:13:11 +0800",
"verb" => "GET",
"request" => "/wechat/js/regain.431efde9.js",
"httpversion" => "1.1",
"http_status_code" => "304",
"bytes" => "0",
"http_referer" => "https://uatest.winfae.com/wechat/regain.html" \S+ 和 [^\n\t\r\f]+ 语法一样 非空格 my $str=" begin 123.456 end ";
if ($str =~/(?<request_time>\d+\.\d+)/)
{
my ($request_time) = ($+{request_time});
print $request_time."\n";};
zjtest7-frontend:/root/0825# perl a1.pl
123.456 "http_referer" => "https://uatest.winfae.com/wechat/regain.html" \"(?<http_referer>\S+)\" \"(?<http_user_agent>\S+)\"
\"Mozilla/5.0 (Linux; Android 5.1.1; vivo X6S A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile MQQBrowser/6.2 TBS/036558 Safari/537.36 MicroMessenger/6.3.25.861 NetType/WIFI Language/zh_CN\" "message" => " 121.40.205.143 [29/Aug/2016:13:54:08 +0800] \"GET /resources/plugins/artDialog/ui-dialog.css HTTP/1.1\"200 9985 \"https://uatest.winfae.com/wechat/home.html?useragent=ios_h5_zjcap&apiver=2&WKWebView=1\" \"ios_h5_zjcap\"",
"@version" => "1",
"@timestamp" => "2016-08-29T05:56:53.217Z",
"path" => "/rsyslog/data/nginx/uat/nginx_access01_log.2016-08-29",
"host" => "0.0.0.0",
"type" => "uat_nginx_access",
"clientip" => "121.40.205.143",
"time" => "29/Aug/2016:13:54:08 +0800",
"verb" => "GET",
"request" => "/resources/plugins/artDialog/ui-dialog.css",
"httpversion" => "1.1",
"http_status_code" => "200",
"bytes" => "9985",
"http_referer" => "https://uatest.winfae.com/wechat/home.html?useragent=ios_h5_zjcap&apiver=2&WKWebView=1",
"http_user_agent" => "ios_h5_zjcap"
} {
"message" => " 121.40.205.143 [29/Aug/2016:13:59:35 +0800] \"GET /resources/js/toolbar.49fc367e.js?_v=${last.updated}&_=1472450673142 HTTP/1.1\"200 1800 \"https://uatest.winfae.com/products/productList.html\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36\"",
"@version" => "1",
"@timestamp" => "2016-08-29T06:02:18.775Z",
"path" => "/rsyslog/data/nginx/uat/nginx_access01_log.2016-08-29",
"host" => "0.0.0.0",
"type" => "uat_nginx_access",
"tags" => [
[0] "_grokparsefailure"
]
}
logstash grok正则调试的更多相关文章
- ELK——为调试 Logstash Grok 表达式,安装 GrokDebuger 环境
内容 安装 RVM 安装 Ruby 和 Gems 安装 Rails 安装 jls-grok Ruby grok 解析 调试 grok 注意:不要用 root 执行以下操作. 用 logstash ...
- grok 正则解析日志例子<1>
<pre name="code" class="html">下面是日志的样子 55.3.244.1 GET /index.html 15824 0. ...
- logstash grok内置规则
logstash grok 内置正则 https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns USERNAME [ ...
- [elk]logstash grok原理
logstash语法 http://www.ttlsa.com/elk/elk-logstash-configuration-syntax/ https://www.elastic.co/guide/ ...
- logstash -grok插件语法介绍
介绍 logstash拥有丰富的filter插件,它们扩展了进入过滤器的原始数据,进行复杂的逻辑处理,甚至可以无中生有的添加新的 logstash 事件到后续的流程中去!Grok 是 Logsta ...
- Grok 正则捕获
Grok 正则捕获: \s+(?<request_time>\d+(?:\.\d+)?)\s+ 回顾下: (?:pattern) 匹 配 pattern 但不获取匹配结果,也就是说这是一个 ...
- grok 正则捕获(就是perl的正则捕获)
2.3.2 grok 正则捕获: \s+ 和 [\n\t\r\f]+ 一样 1.命名分组格式为(?<grp name>),反向引用时用\k<grp name> 2.命名分组的匹 ...
- logstash 使用grok正则解析日志
http://xiaorui.cc/2015/01/27/logstash%E4%BD%BF%E7%94%A8grok%E6%AD%A3%E5%88%99%E8%A7%A3%E6%9E%90%E6%9 ...
- logstash的grok正则匹配规则文件
文件路径:logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-4.1.0/patterns/grok-patterns 在线调试g ...
随机推荐
- Eclipse IDE for Java EE Developers使用和新建工程helloworld
开发j2ee还是用专门的java ee eclipse,自带了许多开发j2ee的插件,包括: This package includes: Data Tools Platform Eclipse Gi ...
- bzoj1637 [Usaco2007 Mar]Balanced Lineup
Description Farmer John 决定给他的奶牛们照一张合影,他让 N (1 ≤ N ≤ 50,000) 头奶牛站成一条直线,每头牛都有它的坐标(范围: 0..1,000,000,000 ...
- Word Break I II
Word Break Given a string s and a dictionary of words dict, determine if s can be segmented into a s ...
- EasyUI的下拉选择框控件方法被屏蔽处理方式
1.html标签如下 <div id="selectMap" style="top: 1px;left: 80px;position: absolute;" ...
- Valid Anagram 解答
Question Given two strings s and t, write a function to determine if t is an anagram of s. For examp ...
- POJ 2579 Fiber Network(状态压缩+Floyd)
Fiber Network Time Limit: 1000MS Memory Limit: 65536K Total Submissions: 3328 Accepted: 1532 Des ...
- C/C++中经常使用的字符串处理函数和内存字符串函数
一. 字符处理函数 1. 字符处理函数:<ctype.h> int isdigit(int ch) ;//是否为数字,即ch是否是0-9中的字符 int ...
- UBUNTU系统常用基本命令
1.系统基本信息查询查看内核#uname -a 查看Ubuntu版本#cat /etc/issue 查看内核加载的模块#lsmod 查看PCI设备#lspci 查看USB设备#lsusb 查看网卡状态 ...
- 【HeadFirst 设计模式总结】2 观察者模式
作者:gnuhpc 出处:http://www.cnblogs.com/gnuhpc/ 1.我们需要理解报社.订阅系统和订报人之间的关系,订报人通过订阅系统订报,一旦报社有新的报纸,订阅系统就会派人送 ...
- VLC各个Module模块之间共享变量的实现方法
在做VLC开发的时候,想使用一个模块访问另外一个模块的数据, 比如在网络模块得到了一些数据,想在其他模块得到这些数据进行处理,这时候就需要两个模块共享一些变量. 查看VLC的源码,发现VLC专门有va ...