0
这是我意义上的日志服务器:分析意义上的记录与logstash
{"timestamp":"2015-01-21T09:43:21.387501+0700","level":"info","message":"publishing check result","payload":{"client":"local.com","check":{"name":"instance_xxx_check","issued":1421808200,"command":"xargs -I{} sh -c '/opt/sensu/embedded/bin/ruby /etc/sensu/plugins/check-http.rb -u {}' < /etc/sensu/conf.d/live/list/xxx.txt","handlers":["default","mailer"],"interval":60,"subscribers":["live"],"executed":1421808200,"duration":1.317,"output":"CheckHTTP OK: 200, http://link1.com\nCheckHTTP CRITICAL: Request error: http://link2.com\nCheckHTTP OK: 200, http://link3.com\n","status":123}}}
这是JSON格式,你可以使用JSON解析来查看它。
,并通过logstash过滤器后,会在这样的像场解析:
http://i.stack.imgur.com/4KA0i.jpg
现在我想添加一个名为“错误”,它只是包含的关键“http://link.com”信息字段。它的意思是,如果过滤器匹配CheckHTTP关键在“payload.check.output”字段,它会增加错误链接到新的“错误”字段
这是我在logstash过滤器配置:
if [type] == "sensu" {
grok {
match => [ "payload.check.output", "%{CISCO_REASON}: Request error: %{URI}" ]
}
mutate {
add_field => { "error" => "%{payload.check.output}" }
remove_field => [ "timestamp" ]
}
}
但没有任何事情发生
谢谢,本林,但它显示错误字段中的所有3链接(我试试这个配置),我的目标是分裂它,错误字段只包含单个错误链接。因为它只是发生在1链接错误和2链接保持在某种程度上确定 http://i.imgur.com/uFnzxb0.jpg 3链接显示 – Jin 2015-01-21 08:02:29
嗨,金。我已经更新了答案。请再试一次。我认为它可以回答你的问题。 – 2015-01-21 09:23:43