1. 首页
  2. 问答
  3. Logstash多行日志文件的XML解析过滤

Logstash多行日志文件的XML解析过滤

2017-10-12 119 views
0

我绝对新Logstash,我试图分析我多logentries,是按以下格式Logstash多行日志文件的XML解析过滤

<log level="INFO" time="Wed May 03 08:25:03 CEST 2017" timel="1493792703368" host="host"> <msg><![CDATA[Method=GET URL=http://localhost (Vers=[Version], Param1=[param1], Param2=[param1]) Result(Content-Length=[22222], Content-Type=[text/xml; charset=utf-8]) Status=200 Times=TISP:1098/CSI:-/Me:1/Total:1099]]> </msg> </log>

你知道如何实现logstash过滤器配置能够为指数elasticsearch以下领域

时间,主持人,弗斯,参数1,参数2,TISP

非常感谢您

来源

2017-10-12 Andi

+0

在输入上使用多行编解码器,然后在xpath上使用xml过滤器。 – baudsp

回答

0

好的,我发现如何去做。这是我的pipeline.conf文件,它可以工作

input { 
     beats { 
       port => 5044 
     } 
} 

filter { 
     xml { 
       store_xml => false 
       source => "message" 
       xpath => [ 
       "/log/@level", "level", 
       "/log/@time", "time", 
       "/log/@timel", "unixtime", 
       "/log/@host", "host_org", 
       "/log/@msg", "msg", 
       "/log/msg/text()","msg_txt" 
       ] 
     } 

     grok { 
       break_on_match => false 
       match => ["msg_txt", "Param1=\[(?<param1>-?\w+)\]"] 
       match => ["msg_txt", "Param2=\[(?<param2>-?\w+)\]"] 
       match => ["msg_txt", "Vers=\[(?<vers>-?\d+\.\d+)\]"] 
       match => ["msg_txt", "TISP:(?<tisp>-?\d+)"] 
       match => [unixtime, "(?<customTime>-?\d+)"] 
     } 
     if "_grokparsefailure" in [tags] { 
       drop { } 
     } 

     mutate { 
       convert => { "tisp" => "integer" } 
     } 

     date { 
       match => [ "customTime", "UNIX_MS"] 
       target => "@timestamp" 
     } 
     if "_dateparsefailure" in [tags] { 
       drop { } 
     } 



} 

output { 
     elasticsearch { 
       hosts => "elasticsearch:9200" 
       user => user 
       password => passwd 
     } 
}

来源

2017-10-13 11:20:05 Andi

相关问题

 相关问题