logstash grok正则调试
logstash 正则调试;
nginx 配置;
log_format main '$remote_addr [$time_local] "$request" '; logstash:
"message" =>"%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\"" 输出: {
"message" => " 121.40.205.143 [29/Aug/2016:12:36:32 +0800] \"GET /favicon.ico HTTP/1.1\" - 404 2319 \"-\" \"Mozilla/5.0 (Linux; Android 5.1.1; vivo X6S A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile MQQBrowser/6.2 TBS/036558 Safari/537.36 MicroMessenger/6.3.25.861 NetType/WIFI Language/zh_CN\" 0.000 -",
"@version" => "1",
"@timestamp" => "2016-08-29T04:39:16.608Z",
"path" => "/rsyslog/data/nginx/uat/nginx_access01_log.2016-08-29",
"host" => "0.0.0.0",
"type" => "uat_nginx_access",
"clientip" => "121.40.205.143",
"time" => "29/Aug/2016:12:36:32 +0800",
"verb" => "GET",
"request" => "/favicon.ico",
"httpversion" => "1.1"
} 此时grok 能正常匹配: "message" => "%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\"
%{NUMBER:http_status_code} %{NUMBER:bytes} \"(?<http_referer>\S+)\" \"(?<http_user_agent>\S+)\" \"(?<http_x_forwarded_for>\S+)\"" log_format main '$http_host $server_addr $remote_addr [$time_local] "$request" '
'$request_body $status $body_bytes_sent "$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time'; 继续加;
log_format main '$remote_addr [$time_local] "$request"'
'$status $body_bytes_sent'; 日志格式:
121.40.205.143 [29/Aug/2016:12:51:18 +0800] "GET /resources/plugins/artDialog/ui-dialog.css HTTP/1.1"304 0
121.40.205.143 [29/Aug/2016:12:51:18 +0800] "GET /wechat/images/account/icons.7a340e21.png HTTP/1.1"304 0
121.40.205.143 [29/Aug/2016:12:51:18 +0800] "GET /wechat/images/nav-icon.44c2022c.png?v=1 HTTP/1.1"304 0
121.40.205.143 [29/Aug/2016:12:51:19 +0800] "GET /favicon.ico HTTP/1.1"404 2319
121.40.205.143 [29/Aug/2016:12:51:19 +0800] "GET /favicon.ico HTTP/1.1"404 2319
121.40.205.143 [29/Aug/2016:12:52:25 +0800] "GET /favicon.ico HTTP/1.1"404 2319
121.40.205.143 [29/Aug/2016:12:52:25 +0800] "GET /favicon.ico HTTP/1.1"404 2319
121.40.205.143 [29/Aug/2016:12:53:28 +0800] "GET /favicon.ico HTTP/1.1"404 2319 filter {
grok {
match=> {
"message" =>"%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\"%{NUMBER:http_status_code} %{NUMBER:bytes}" } logstash 输出:
Pipeline main started
{
"message" => " 121.40.205.143 [29/Aug/2016:12:56:10 +0800] \"GET /favicon.ico HTTP/1.1\"404 2319",
"@version" => "1",
"@timestamp" => "2016-08-29T04:58:54.908Z",
"path" => "/rsyslog/data/nginx/uat/nginx_access01_log.2016-08-29",
"host" => "0.0.0.0",
"type" => "uat_nginx_access",
"clientip" => "121.40.205.143",
"time" => "29/Aug/2016:12:56:10 +0800",
"verb" => "GET",
"request" => "/favicon.ico",
"httpversion" => "1.1",
"http_status_code" => "404",
"bytes" => "2319"
} 继续; 121.40.205.143 [29/Aug/2016:13:00:16 +0800] "GET /favicon.ico HTTP/1.1"404 2319 "-"
121.40.205.143 [29/Aug/2016:13:00:22 +0800] "GET /favicon.ico HTTP/1.1"404 2319 "-"
121.40.205.143 [29/Aug/2016:13:00:30 +0800] "GET /favicon.ico HTTP/1.1"404 2319 "-"
121.40.205.143 [29/Aug/2016:13:00:32 +0800] "GET /wechat/login.html HTTP/1.1"304 0 "https://uatest.winfae.com/wechat/account.html"
121.40.205.143 [29/Aug/2016:13:00:32 +0800] "GET /wechat/images/login/icon_01.6e839367.png HTTP/1.1"304 0 "https://uatest.winfae.com/wechat/css/wechat.2a00a782.css"
121.40.205.143 [29/Aug/2016:13:00:32 +0800] "GET /wechat/images/login/icon_02.5065faba.png HTTP/1.1"304 0 "https://uatest.winfae.com/wechat/css/wechat.2a00a782.css"
121.40.205.143 [29/Aug/2016:13:00:32 +0800] "GET /resources/plugins/jquery/jquery.md5.js?v=1 HTTP/1.1"304 0 "https://uatest.winfae.com/wechat/login.html"
121.40.205.143 [29/Aug/2016:13:00:32 +0800] "GET /wechat/js/libs/dialog-min.88247f5e.js?v=1 HTTP/1.1"304 0 "https://uatest.winfae.com/wechat/login.html"
121.40.205.143 [29/Aug/2016:13:00:32 +0800] "GET /wechat/js/login.a87fbd64.js HTTP/1.1"304 0 "https://uatest.winfae.com/wechat/login.html" {
"message" => " 121.40.205.143 [29/Aug/2016:13:05:24 +0800] \"GET /wechat/account_balance.html HTTP/1.1\"200 3059 \"https://uatest.winfae.com/wechat/account.html\"
\"Mozilla/5.0 (Linux; Android 5.1.1; vivo X6S A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile MQQBrowser/6.2 TBS/036558 Safari/537.36 MicroMessenger/6.3.25.861 NetType/WIFI Language/zh_CN\"", 121.40.205.143 [29/Aug/2016:13:05:24 +0800] "GET /wechat/account_balance.html HTTP/1.1"200 3059 "https://uatest.winfae.com/wechat/account.html" "Mozilla/5.0 (Linux; Android 5.1.1; vivo X6S A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile MQQBrowser/6.2 TBS/036558 Safari/537.36 MicroMessenger/6.3.25.861 NetType/WIFI Language/zh_CN"
121.40.205.143 [29/Aug/2016:13:05:45 +0800] "GET /wechat/home.html?useragent=android_h5_zjcap&apiver=2 HTTP/1.1"200 11601 "-" "okhttp/2.6.0" {
"message" => " 121.40.205.143 [29/Aug/2016:13:13:11 +0800] \"GET /wechat/js/regain.431efde9.js HTTP/1.1\"304 0 \"https://uatest.winfae.com/wechat/regain.html\" \"Mozilla/5.0 (Linux; Android 5.1.1; vivo X6S A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile MQQBrowser/6.2 TBS/036558 Safari/537.36 MicroMessenger/6.3.25.861 NetType/WIFI Language/zh_CN\"",
"@version" => "1",
"@timestamp" => "2016-08-29T05:15:55.609Z",
"path" => "/rsyslog/data/nginx/uat/nginx_access01_log.2016-08-29",
"host" => "0.0.0.0",
"type" => "uat_nginx_access",
"clientip" => "121.40.205.143",
"time" => "29/Aug/2016:13:13:11 +0800",
"verb" => "GET",
"request" => "/wechat/js/regain.431efde9.js",
"httpversion" => "1.1",
"http_status_code" => "304",
"bytes" => "0",
"http_referer" => "https://uatest.winfae.com/wechat/regain.html" \S+ 和 [^\n\t\r\f]+ 语法一样 非空格 my $str=" begin 123.456 end ";
if ($str =~/(?<request_time>\d+\.\d+)/)
{
my ($request_time) = ($+{request_time});
print $request_time."\n";};
zjtest7-frontend:/root/0825# perl a1.pl
123.456 "http_referer" => "https://uatest.winfae.com/wechat/regain.html" \"(?<http_referer>\S+)\" \"(?<http_user_agent>\S+)\"
\"Mozilla/5.0 (Linux; Android 5.1.1; vivo X6S A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile MQQBrowser/6.2 TBS/036558 Safari/537.36 MicroMessenger/6.3.25.861 NetType/WIFI Language/zh_CN\" "message" => " 121.40.205.143 [29/Aug/2016:13:54:08 +0800] \"GET /resources/plugins/artDialog/ui-dialog.css HTTP/1.1\"200 9985 \"https://uatest.winfae.com/wechat/home.html?useragent=ios_h5_zjcap&apiver=2&WKWebView=1\" \"ios_h5_zjcap\"",
"@version" => "1",
"@timestamp" => "2016-08-29T05:56:53.217Z",
"path" => "/rsyslog/data/nginx/uat/nginx_access01_log.2016-08-29",
"host" => "0.0.0.0",
"type" => "uat_nginx_access",
"clientip" => "121.40.205.143",
"time" => "29/Aug/2016:13:54:08 +0800",
"verb" => "GET",
"request" => "/resources/plugins/artDialog/ui-dialog.css",
"httpversion" => "1.1",
"http_status_code" => "200",
"bytes" => "9985",
"http_referer" => "https://uatest.winfae.com/wechat/home.html?useragent=ios_h5_zjcap&apiver=2&WKWebView=1",
"http_user_agent" => "ios_h5_zjcap"
} {
"message" => " 121.40.205.143 [29/Aug/2016:13:59:35 +0800] \"GET /resources/js/toolbar.49fc367e.js?_v=${last.updated}&_=1472450673142 HTTP/1.1\"200 1800 \"https://uatest.winfae.com/products/productList.html\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36\"",
"@version" => "1",
"@timestamp" => "2016-08-29T06:02:18.775Z",
"path" => "/rsyslog/data/nginx/uat/nginx_access01_log.2016-08-29",
"host" => "0.0.0.0",
"type" => "uat_nginx_access",
"tags" => [
[0] "_grokparsefailure"
]
}
logstash grok正则调试的更多相关文章
- ELK——为调试 Logstash Grok 表达式,安装 GrokDebuger 环境
内容 安装 RVM 安装 Ruby 和 Gems 安装 Rails 安装 jls-grok Ruby grok 解析 调试 grok 注意:不要用 root 执行以下操作. 用 logstash ...
- grok 正则解析日志例子<1>
<pre name="code" class="html">下面是日志的样子 55.3.244.1 GET /index.html 15824 0. ...
- logstash grok内置规则
logstash grok 内置正则 https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns USERNAME [ ...
- [elk]logstash grok原理
logstash语法 http://www.ttlsa.com/elk/elk-logstash-configuration-syntax/ https://www.elastic.co/guide/ ...
- logstash -grok插件语法介绍
介绍 logstash拥有丰富的filter插件,它们扩展了进入过滤器的原始数据,进行复杂的逻辑处理,甚至可以无中生有的添加新的 logstash 事件到后续的流程中去!Grok 是 Logsta ...
- Grok 正则捕获
Grok 正则捕获: \s+(?<request_time>\d+(?:\.\d+)?)\s+ 回顾下: (?:pattern) 匹 配 pattern 但不获取匹配结果,也就是说这是一个 ...
- grok 正则捕获(就是perl的正则捕获)
2.3.2 grok 正则捕获: \s+ 和 [\n\t\r\f]+ 一样 1.命名分组格式为(?<grp name>),反向引用时用\k<grp name> 2.命名分组的匹 ...
- logstash 使用grok正则解析日志
http://xiaorui.cc/2015/01/27/logstash%E4%BD%BF%E7%94%A8grok%E6%AD%A3%E5%88%99%E8%A7%A3%E6%9E%90%E6%9 ...
- logstash的grok正则匹配规则文件
文件路径:logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-4.1.0/patterns/grok-patterns 在线调试g ...
随机推荐
- Eclipse中设置条件断点
1.在要添加断点的变量那一行前双击,添加断点: 2.在该断点处点击鼠标右键,在弹出的选项卡中选择“断点属性”Breakpoint Properties; 3.在断点属性选项卡中勾选Enabled复选框 ...
- Dubbo、Zookeeper、SpringMVC的整合使用
互联网的发展,网站应用的规模不断扩大,常规的垂直应用架构已无法应对,分布式服务架构以及流动计算架构势在必行,Dubbo是一个分布式服务框架,在这种情况下诞生的.现在核心业务抽取出来,作为独立的服务,使 ...
- Jump Game 解答
Question Given an array of non-negative integers, you are initially positioned at the first index of ...
- WebBrowserProgramming - Python Wiki
WebBrowserProgramming - Python Wiki Web Browser Programming in Python
- 用到的Python运算符
假设变量a为10,变量b为20. 算术运算符 比较运算符 赋值运算符 逻辑运算符 运算符优先级 对于逻辑运算符,not的优先级最大,or的优先级最小.它们三个的优先级排序为:not > and ...
- 了解XSS攻击
XSS又称CSS,全称Cross SiteScript,跨站脚本攻击,是Web程序中常见的漏洞,XSS属于被动式且用于客户端的攻击方式,所以容易被忽略其危害性.其原理是攻击者向有 XSS漏洞的网站中输 ...
- Hibernate中save、saveorupdate、persist方法的区别
在Hibernate中,save().saveOrUpdate()和persist()都是用于将对象保存到数据库中的方法,但其中有些细微的差别.例如,save()只能INSERT记录,但是saveOr ...
- 本人的cocos2d-x之路
大学基本上算是混着过去了- -,说起学到的东西,感觉真的不多.然后吧.在大四这年在大妈的带动下,来到了一家棋牌游戏公司,详细就不说了.刚进去的时候真的是啥也不懂.先是看了项目代码,自己捉摸了1 ...
- Jquery 工具类函数
1.$.browser 获取当前浏览器的名称和版本信息 $.browser.chrome 获取chrome浏览器 $.browser.mozilla 获取火狐浏览器 $.browser.msie ...
- windows 7 旗舰版 切换 中英文 界面
http://jingyan.baidu.com/article/f7ff0bfc4963612e26bb131e.html 如果遇到:想下载英语语言包,但是出现代码80070643,windowsu ...