需求:通过filter中mutate插件实现将原java日志分割,取出日志等级字段。
当判断为ERROR级别后提交到指定url进行下一步处理。
input { file { type => "api" path => "/home/jar/api/logs/*-error.log" codec => multiline { pattern => "^[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{3}" negate => true what => previous } } } filter { mutate { copy => { "message" => "source_message" } } } filter { mutate { split => ["message", " "] add_field => { "level" => "%{[message][2]}" } } } output { if [level] == "ERROR" { http { http_method => "post" url => "http://xxx/logstash.php" } } stdout { codec => rubydebug } }
关键配置注解:
如一条日志为:2019-02-20 15:55:47.273 ERROR [http-nio-8081-exec-32] io.renren.service.impl.CertificateServiceImpl.notify:840 – 支付宝回调返回不成功
# 保留原日志 (后来发现这种方式是错误的,原日志中的空格会被逗号代替,影响了原格式)
add_field => {
“source_message” => “%{message}”
}
需要换成下面配置
filter {
mutate {
copy => {
“message” => “source_message”
}
}
}
这样才能保留原先格式。
# 添加字段level,值为原日志第3个字段(分割后的第2个字段)
add_field => {
“level” => “%{[message][2]}”
}
原创文章,转载请注明。本文链接地址: https://www.rootop.org/pages/4262.html