Logstash _grokparsefailure

Question

有人可以澄清一下吗？当我针对 grokdebug 和 grokconstructor 测试它时，我的 grok 模式工作正常，但后来我把它放在 Logastash 中，它从一开始就失败了。任何指导将不胜感激。下面是我的过滤器和示例日志条目。

{"casename":"null","username":"null","startdate":"2015-05-26T01:09:23Z","enddate":"2015-05-26T01:09:23Z","time":"0.0156249","methodname":"null","url":"http://null.domain.com/null.php/null/jobs/_search?q=jobid:\"0\"&size=100&from=0","errortype":"null","errorinfo":"null","postdata":"null","methodtype":"null","servername":"null","gaggleid":"a51b90d6-1f82-46a7-adb9-9648def879c5","date":"2015-05-26T01:09:23Z","firstname":"null","lastname":"null"}


filter {
  if [type] == 'EventLog' {
    grok {
      match => { 'message' =>  ' \{"casename":"%{WORD:casename}","username":"%{WORD:username}","startdate":"%{TIMESTAMP_ISO8601:startdate}","enddate":"%{TIMESTAMP_ISO8601:enddate}","time":"%{NUMBER:time}","methodname":"%{WORD:methodname}","url":"%{GREEDYDATA:url}","errortype":"%{WORD:errortype}","errorinfo":"%{WORD:errorinfo}","postdata":"%{GREEDYDATA:postdata}","methodtype":"%{WORD:methodtype}","servername":"%{HOST:servername}","gaggleid":"%{GREEDYDATA:gaggleid}","date":"%{TIMESTAMP_ISO8601:date}","firstname":"%{WORD:firstname}","lastname":"%{WORD:lastname}"\} '
     }
   }
  }
 }

Answer 1

"Fails from the beginning"，确实如此！看到了吗？

'message' =>  ' \{"casename"

              ^^^

您的输入中没有首字母（或结尾）space，但您的模式中有它们。删除它们，它在 logstash 中工作正常。

顺便说一句，你看过jsoncodec or filter吗？