根据Logstash中的事件消息添加字段不起作用

Question

我已经安装了ELK并在我的机器上工作,但现在我想根据事件消息进行更复杂的过滤和字段添加.

具体来说,我想根据消息模式设置"id_error"和"descripcio".

我在"logstash.conf"文件中尝试了很多代码组合,但是我无法获得预期的行为.

有人能告诉我我做错了什么,我该做什么或者这是不可能的？提前致谢.

这是我的"logstash.conf"文件,我做了最后一次测试,结果没有在Kibana中捕获事件:

input { 
    file {
        path => "C:\xxx.log"
    }
}

filter {
    grok {
        patterns_dir => "C:\elk\patterns"
        match => [ "message", "%{ERROR2:error2}" ]
        add_field => [ "id_error", "2" ]
        add_field => [ "descripcio", "error2!!!" ]
    }
    grok {
        patterns_dir => "C:\elk\patterns"
        match => [ "message", "%{ERROR1:error1}" ]
        add_field => [ "id_error", "1" ]
        add_field => [ "descripcio", "error1!!!" ]
    }
    if ("_grokparsefailure" in [tags]) { drop {} }
}

output {
  elasticsearch {
    host => "localhost"
    protocol => "http"
    index => "xxx-%{+YYYY.MM.dd}"
  }
}

我也尝试了以下代码,在每个匹配的事件中产生了分别为"[1,2]"和"[error1 !!!,error2 !!!]"的字段"id_error"和"descripcio".

由于"break_on_match"默认设置为"true",我希望只获得匹配子句后面的字段,但这不会发生.

input { 
  file {
    path => "C:\xxx.log"
  }
}

filter {
  grok {
    patterns_dir => "C:\elk\patterns"
    match => [ "message", "%{ERROR1:error1}" ]
    add_field => [ "id_error", "1" ]
    add_field => [ "descripcio", "error1!!!" ]
    match => [ "message", "%{ERROR2:error2}" ]
    add_field => [ "id_error", "2" ]
    add_field => [ "descripcio", "error2!!!" ]
  }
  if ("_grokparsefailure" in [tags]) { drop {} }
}

output {
  elasticsearch {
    host => "localhost"
    protocol => "http"
    index => "xxx-%{+YYYY.MM.dd}"
  }
}

Answer 1

我已经解决了这个问题。我在“logstash.conf”中使用以下代码得到了预期的结果：

input { 
  file {
    path => "C:\xxx.log"
  }
}

filter {
  grok {
    patterns_dir => "C:\elk\patterns"
    match => [ "message", "%{ERROR1:error1}" ]
    match => [ "message", "%{ERROR2:error2}" ]
  }
  if [message] =~ /error1_regex/ {
    grok {
        patterns_dir => "C:\elk\patterns"
        match => [ "message", "%{ERROR1:error1}" ]
    }
    mutate {
        add_field => [ "id_error", "1" ]
        add_field => [ "descripcio", "Error1!" ]
        remove_field => [ "message" ]
        remove_field => [ "error1" ]
    }
  }
  else if [message] =~ /error2_regex/ {
    grok {
        patterns_dir => "C:\elk\patterns"
        match => [ "message", "%{ERROR2:error2}" ]
    }
    mutate {
        add_field => [ "id_error", "2" ]
        add_field => [ "descripcio", "Error2!" ]
        remove_field => [ "message" ]
        remove_field => [ "error2" ]
    }
  }
  if ("_grokparsefailure" in [tags]) { drop {} }
}

output {
  elasticsearch {
    host => "localhost"
    protocol => "http"
    index => "xxx-%{+YYYY.MM.dd}"
  }
}