我如何使用 grok 过滤器在 tomcat 日志中获取匹配的消息?
How can i use grok filter to get the matched messages in the tomcat logs?
我在 tomcat 日志中得到不同的信息。我只想要带有消息 "Server startup in" 的行。我在 logstash 中使用 grok 过滤器,但我无法获得包含该消息的唯一一条过滤消息。我在 tomcat 的日志中收到了所有消息。 logstash 中的 conf 文件是...
input {
stdin { }
file {
type => "tomcat-access"
path => ["D:/apache-tomcat-7/logs/catalina.2015-05-19.log"]
}
}
filter {
grok {
match => [ "message:Server startup in", "%{SYSLOGBASE} %{DATA:message}"]
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
index => "tomcat"
cluster => "cloud-es"
}
}
grok filter is used to extract fields from messages. It doesn't do any filtering. You should use a conditional and the drop filter:
filter {
if [message] !~ /Server start up in/ {
drop { }
}
}
或者:
filter {
if "Server start up in" not in [message] {
drop { }
}
}
我在 tomcat 日志中得到不同的信息。我只想要带有消息 "Server startup in" 的行。我在 logstash 中使用 grok 过滤器,但我无法获得包含该消息的唯一一条过滤消息。我在 tomcat 的日志中收到了所有消息。 logstash 中的 conf 文件是...
input {
stdin { }
file {
type => "tomcat-access"
path => ["D:/apache-tomcat-7/logs/catalina.2015-05-19.log"]
}
}
filter {
grok {
match => [ "message:Server startup in", "%{SYSLOGBASE} %{DATA:message}"]
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
index => "tomcat"
cluster => "cloud-es"
}
}
grok filter is used to extract fields from messages. It doesn't do any filtering. You should use a conditional and the drop filter:
filter {
if [message] !~ /Server start up in/ {
drop { }
}
}
或者:
filter {
if "Server start up in" not in [message] {
drop { }
}
}