我正在创建一个logstash grok过滤器,以从备份服务器中提取事件,并希望能够测试字段是否符合模式,如果匹配模式,则进一步处理该字段并提取其他信息。
为此,我在grok语句本身中嵌入了一个if语句。这将导致测试失败,出现“Error: Expected one of #, =>”的错误提示。
以下是过滤器语句:
我刚接触logstash,意识到在
注:完全删除
提前感谢您的帮助...
为此,我在grok语句本身中嵌入了一个if语句。这将导致测试失败,出现“Error: Expected one of #, =>”的错误提示。
以下是过滤器语句:
filter {
grok {
patterns_dir => "./patterns"
# NetWorker logfiles have some unusual fields that include undocumented engineering codes and what not
# time is in 12h format (ugh) so custom patterns need to be used.
match => [ "message", "%{NUMBER:engcode1} %{DATESTAMP_12H:timestamp} %{NUMBER:engcode2} %{NUMBER:engcode3} %{NUMBER:engcode4} %{NUMBER:ppid} %{NUMBER:pid} %{NUMBER:engcode5} %{WORD:processhost} %{WORD:processname} %{GREEDYDATA:daemon_message}" ]
# attempt to find completed savesets and pull that info from the daemon_message field
if [daemon_message] =~ /done\ saving\ to\ pool/ {
grok {
match => [ "daemon_message", "%{WORD:savehost}\:%{WORD:saveset} done saving to pool \'%{WORD:pool}\' \(%{WORD:volume}\) %{WORD:saveset_size}" ]
}
}
}
date {
# This is requred to set the time from the logline to the timestamp and not have it create it's own.
# Note the use of the trailing 'a' to denote AM or PM.
match => ["timestamp", "MM/dd/yyyy HH:mm:ss a"]
}
}
这个代码块出现了以下错误:
$ /opt/logstash/bin/logstash -f ./networker_daemonlog.conf --configtest
Error: Expected one of #, => at line 12, column 12 (byte 929) after # Basic dumb simple networker daemon log grok filter for the NetWorker daemon.log
# no smarts to this and not really pulling any useful info from the files (yet)
filter {
grok {
... lines deleted ...
# attempt to find completed savesets and pull that info from the daemon_message field
if
我刚接触logstash,意识到在
grok
语句中使用条件可能不可行,但我更喜欢用这种方式进行条件处理,而不是添加额外的match
行,因为这样可以保留daemon_message字段供其他用途,同时提取出我想要的数据。注:完全删除
if
语句允许configtest通过并使过滤器解析日志。提前感谢您的帮助...