0
我正在尝试解析日志并将其放入使用logstash的弹性搜索中。在使用grok解析时为空字段插入虚拟值logstash
我的日志文件是在以下格式
[18-Aug-2016 02:28:46,537][ERROR][thread1][package.name] there is error in line 52
\[%{GREEDYDATA:date} %{GREEDYDATA:time}\]\[%{LOGLEVEL:log_type}\]\[%{GREEDYDATA:thread_name}\]\[%{GREEDYDATA:package}\](%{GREEDYDATA:log_msg})?
当我运行此神交过滤器我得到正确输出。但是,有些情况下我得到的输入没有最后一个字段(log_msg)。是这样的:
[18-Aug-2016 02:28:46,537][ERROR][thread1][package.name]
在这种情况下神交是忽略了最后一个字段log_msg并没有得到inseted到弹性搜索。
但是,有没有什么办法,我们可以设置一个空的字符串或字符串,如果log_msg字段中不存在消息中的“无数据”。
真实输出继电器:
{
"message" => "[18-Aug-2016 02:28:46,537][ERROR][thread1][package.name]",
"@version" => "1",
"@timestamp" => "2016-08-17T12:31:58.209Z",
"path" => "/home/admin-nfv/test1_log.log",
"host" => "nendc1-bg-d104",
"date" => "18-Aug-2016",
"time" => "02:28:46,537",
"log_type" => "ERROR",
"thread_name" => "thread1",
"package" => "package.name"
}
预期输出:
{
"message" => "[18-Aug-2016 02:28:46,537][ERROR][thread1][package.name]",
"@version" => "1",
"@timestamp" => "2016-08-17T12:31:58.209Z",
"path" => "/home/admin-nfv/test1_log.log",
"host" => "nendc1-bg-d104",
"date" => "18-Aug-2016",
"time" => "02:28:46,537",
"log_type" => "ERROR",
"thread_name" => "thread1",
"package" => "package.name",
"log_msg" => "no data"
}