0
Meine Protokolle sind wie folgt aus:Grok parse Fehler, aber funktionierte gut in grok Konstruktor?
[2017-05-17 22:22:55,708][WARN ][index.indexing.slowlog.index] [Torpedo][bank][1] took[101.4ms], took_millis[101], type[detail], id[88], routing[] , source[{"account_number":25,"balance":40540,"firstname":"Virginia","lastname":"Ayala","age":39,"gender":"F","address":"171 Putnam Avenue","employer":"Filodyne","email":"[email protected]","city":"Nicholson","state":"PA"}]
[2017-05-17 22:23:35,292][WARN ][index.indexing.slowlog.index] [Torpedo][bank][4] took[10.4ms], took_millis[10], type[detail], id[69], routing[] , source[{"account_number":25,"balance":40540,"firstname":"Virginia","lastname":"Ayala","age":39,"gender":"F","address":"171 Putnam Avenue","employer":"Filodyne","email":"[email protected]","city":"Nicholson","state":"PA"}]
MY grok ist wie folgt:
filter {
grok {
match => [ "message", "\[%{TIMESTAMP_ISO8601:TIMESTAMP}\]\[%{LOGLEVEL:LEVEL}%{SPACE}\]\[%{DATA:QUERY}\]%{SPACE}\[%{DATA:QUERY1}\]%{SPACE}\[%{DATA:INDEX-NAME}\]\[%{DATA:SHARD}\]%{SPACE}took\[%{DATA:TOOK}\],%{SPACE}took_millis\[%{DATA:TOOKM}\], type\[%{DATA:type}\], id\[%{NUMBER:id}\], routing\[%{DATA:routing}\], source\[%{DATA:source}\],"]
}
}
Wenn ich in grokconstructor site geprüft wird, es zeigt, wie sie abgestimmt.
[2017-05-17 22:22:55,708][WARN ][index.indexing.slowlog.index] [Torpedo][bank][1] took[101.4ms], took_millis[101], type[detail], id[88], routing[], source[{"account_number":25,"balance":40540,"firstname":"Virginia","lastname":"Ayala","age":39,"gender":"F","address":"171 Putnam Avenue","employer":"Filodyne","email":"[email protected]","city":"Nicholson","state":"PA"}]
MATCHED
source {"account_number":25,"balance":40540,"firstname":"Virginia","lastname":"Ayala","age":39,"gender":"F","address":"171·Putnam·Avenue","employer":"Filodyne","email":"[email protected]","city":"Nicholson","state":"PA"}
INDEX-NAME bank
SHARD 1
QUERY index.indexing.slowlog.index
LEVEL WARN
id 88
TOOK 101.4ms
TOOKM 101
routing
TIMESTAMP 2017-05-17·22:22:55,708
QUERY1 Torpedo
type detail
before match: [
Wenn ich durch logstash tat es wirft Fehler wie folgt aus:
"message" => "[2017-05-17 22:23:35,292][WARN ][index.indexing.slowlog.index] [Torpedo][bank][4] took[10.4ms], took_millis[10], type[detail], id[69], routing[] , source[{\"account_number\":25,\"balance\":40540,\"firstname\":\"Virginia\",\"lastname\":\"Ayala\",\"age\":39,\"gender\":\"F\",\"address\":\"171 Putnam Avenue\",\"employer\":\"Filodyne\",\"email\":\"[email protected]\",\"city\":\"Nicholson\",\"state\":\"PA\"}]\r",
"@version" => "1",
"@timestamp" => "2017-05-17T17:35:36.287Z",
"path" => "F:\\logstash-2.4.0\\logstash-2.4.0\\bin\\index.txt",
"host" => "yaswanth",
"tags" => [
[0] "_grokparsefailure"
]
Wie ich dies vermeiden kann?
THANKS