logstash 中的 CSV 过滤器抛出“_csvparsefailure”错误
CSV filter in logstash throwing "_csvparsefailure" error
我问了另一个问题eairler,我认为可能与这个问题有关:
我认为它相关的原因是因为在上一个问题中,kibana 没有显示 JSON 解析器的结果,该解析器的 "PROGRAM" 字段为 "mfd_status"。现在我正在改变我做事的方式,删除了 JSON 解析器,以防它可能会干扰东西,但我仍然没有显示任何带有 "mfd_status" 的日志。
csv
{
columns => ["unixTime", "unixTime2", "FACILITY_NUM", "LEVEL_NUM", "PROGRAM", "PID", "MSG_FULL"]
source => "message"
separator => " "
}
在上一个问题的过滤器中,我使用了两个 grok 过滤器,现在我用 csv 过滤器替换了它们。我也有两个日期和一个指纹过滤器,但我认为它们与这个问题无关。
示例日志消息:
"1452564798.76\t1452496397.00\t1\t4\tkernel\t\t[ 6252.000246] sonar: sonar_write(): waiting..."
输出:
"unixTime" => "1452564798.76",
"unixTime2" => "1452496397.00",
"FACILITY_NUM" => "1",
"LEVEL_NUM" => "4",
"PROGRAM" => "kernel",
"PID" => nil,
"MSG_FULL" => "[ 6252.000246] sonar: sonar_write(): waiting...",
"TIMESTAMP" => "2016-01-12T02:13:18.760Z",
"TIMESTAMP_second" => "2016-01-11T07:13:17.000Z"
"1452564804.57\t1452496403.00\t1\t7\tmfd_status\t\t00800F08CFB0\textra\t{\"date\":1452543203,\"host\":\"ABCD1234\",\"inet\":[\"169.254.42.207/16\",\"10.8.207.176/32\",\"172.22.42.207/16\"],\"fb0\":[\"U:1280x800p-60\",32]}"
输出:
"tags" => [
[0] "_csvparsefailure"
在日志中显示 kernel/mfd_status 之后,不应再有任何分隔符,它应该全部放在 MSG_FULL 字段下。
总而言之,为什么我的一条日志消息解析正确而另一条错误?另外,即使它没有正确解析,它仍然应该只用空字段将它发送到 elasticsearch,我想,为什么它也不这样做?
你差不多好了,你需要在你的 CSV 过滤器中覆盖另外两个参数,这两行都将被正确解析。
第一个是 skip_empty_columns => true,因为您的第二个日志行中有一个空白字段,您需要忽略它。
第二个是 quote_char=> "'"(或双引号 " 以外的任何其他内容),因为您的 JSON 包含双引号。
csv {
columns => ["unixTime", "unixTime2", "FACILITY_NUM", "LEVEL_NUM", "PROGRAM", "PID", "MSG_FULL"]
source => "message"
separator => " "
skip_empty_columns => true
quote_char => "'"
}
使用这个,你的第一个日志行解析为:
{
"message" => "1452564798.76\t1452496397.00\t1\t4\tkernel\t\t[ 6252.000246] sonar: sonar_write(): waiting...",
"@version" => "1",
"@timestamp" => "2016-01-12T04:21:34.051Z",
"host" => "iMac.local",
"unixTime" => "1452564798.76",
"unixTime2" => "1452496397.00",
"FACILITY_NUM" => "1",
"LEVEL_NUM" => "4",
"PROGRAM" => "kernel",
"MSG_FULL" => "[ 6252.000246] sonar: sonar_write(): waiting..."
}
第二个日志行解析为:
{
"message" => "1452564804.57\t1452496403.00\t1\t7\tmfd_status\t\t00800F08CFB0\textra\t{\\"date\\":1452543203,\\"host\\":\\"ABCD1234\\",\\"inet\\":[\\"169.254.42.207/16\\",\\"10.8.207.176/32\\",\\"172.22.42.207/16\\"],\\"fb0\\":[\\"U:1280x800p-60\\",32]}",
"@version" => "1",
"@timestamp" => "2016-01-12T04:21:07.974Z",
"host" => "iMac.local",
"unixTime" => "1452564804.57",
"unixTime2" => "1452496403.00",
"FACILITY_NUM" => "1",
"LEVEL_NUM" => "7",
"PROGRAM" => "mfd_status",
"MSG_FULL" => "00800F08CFB0",
"column8" => "extra",
"column9" => "{\\"date\\":1452543203,\\"host\\":\\"ABCD1234\\",\\"inet\\":[\\"169.254.42.207/16\\",\\"10.8.207.176/32\\",\\"172.22.42.207/16\\"],\\"fb0\\":[\\"U:1280x800p-60\\",32]}"
}
我问了另一个问题eairler,我认为可能与这个问题有关:
csv
{
columns => ["unixTime", "unixTime2", "FACILITY_NUM", "LEVEL_NUM", "PROGRAM", "PID", "MSG_FULL"]
source => "message"
separator => " "
}
在上一个问题的过滤器中,我使用了两个 grok 过滤器,现在我用 csv 过滤器替换了它们。我也有两个日期和一个指纹过滤器,但我认为它们与这个问题无关。
示例日志消息:
"1452564798.76\t1452496397.00\t1\t4\tkernel\t\t[ 6252.000246] sonar: sonar_write(): waiting..."
输出:
"unixTime" => "1452564798.76",
"unixTime2" => "1452496397.00",
"FACILITY_NUM" => "1",
"LEVEL_NUM" => "4",
"PROGRAM" => "kernel",
"PID" => nil,
"MSG_FULL" => "[ 6252.000246] sonar: sonar_write(): waiting...",
"TIMESTAMP" => "2016-01-12T02:13:18.760Z",
"TIMESTAMP_second" => "2016-01-11T07:13:17.000Z"
"1452564804.57\t1452496403.00\t1\t7\tmfd_status\t\t00800F08CFB0\textra\t{\"date\":1452543203,\"host\":\"ABCD1234\",\"inet\":[\"169.254.42.207/16\",\"10.8.207.176/32\",\"172.22.42.207/16\"],\"fb0\":[\"U:1280x800p-60\",32]}"
输出:
"tags" => [
[0] "_csvparsefailure"
在日志中显示 kernel/mfd_status 之后,不应再有任何分隔符,它应该全部放在 MSG_FULL 字段下。
总而言之,为什么我的一条日志消息解析正确而另一条错误?另外,即使它没有正确解析,它仍然应该只用空字段将它发送到 elasticsearch,我想,为什么它也不这样做?
你差不多好了,你需要在你的 CSV 过滤器中覆盖另外两个参数,这两行都将被正确解析。
第一个是 skip_empty_columns => true,因为您的第二个日志行中有一个空白字段,您需要忽略它。
第二个是 quote_char=> "'"(或双引号 " 以外的任何其他内容),因为您的 JSON 包含双引号。
csv {
columns => ["unixTime", "unixTime2", "FACILITY_NUM", "LEVEL_NUM", "PROGRAM", "PID", "MSG_FULL"]
source => "message"
separator => " "
skip_empty_columns => true
quote_char => "'"
}
使用这个,你的第一个日志行解析为:
{
"message" => "1452564798.76\t1452496397.00\t1\t4\tkernel\t\t[ 6252.000246] sonar: sonar_write(): waiting...",
"@version" => "1",
"@timestamp" => "2016-01-12T04:21:34.051Z",
"host" => "iMac.local",
"unixTime" => "1452564798.76",
"unixTime2" => "1452496397.00",
"FACILITY_NUM" => "1",
"LEVEL_NUM" => "4",
"PROGRAM" => "kernel",
"MSG_FULL" => "[ 6252.000246] sonar: sonar_write(): waiting..."
}
第二个日志行解析为:
{
"message" => "1452564804.57\t1452496403.00\t1\t7\tmfd_status\t\t00800F08CFB0\textra\t{\\"date\\":1452543203,\\"host\\":\\"ABCD1234\\",\\"inet\\":[\\"169.254.42.207/16\\",\\"10.8.207.176/32\\",\\"172.22.42.207/16\\"],\\"fb0\\":[\\"U:1280x800p-60\\",32]}",
"@version" => "1",
"@timestamp" => "2016-01-12T04:21:07.974Z",
"host" => "iMac.local",
"unixTime" => "1452564804.57",
"unixTime2" => "1452496403.00",
"FACILITY_NUM" => "1",
"LEVEL_NUM" => "7",
"PROGRAM" => "mfd_status",
"MSG_FULL" => "00800F08CFB0",
"column8" => "extra",
"column9" => "{\\"date\\":1452543203,\\"host\\":\\"ABCD1234\\",\\"inet\\":[\\"169.254.42.207/16\\",\\"10.8.207.176/32\\",\\"172.22.42.207/16\\"],\\"fb0\\":[\\"U:1280x800p-60\\",32]}"
}