Logstash过滤插件grok简单测试

Logstash配置文档

# vim useTime.conf

input {

    stdin{}

}

filter {

    grok {

        match => {

            "message" =>
"\s+(?<API>调用.*(用时|异常)).*useTime=(?<useTime>\d+?)$"

        }

    }

}

output {

    stdout{

        codec => rubydebug

    }

}

过滤正则表达示

\s+(?<API>调用.*(用时|异常)) 
-->  调用gz(广州银行)用时

useTime=(?<useTime>\d+?)$  --> useTime=251

测试的日志：

[07/29
00:01:17] [INFO] [[B10005-15]] impl.GzClientServiceImpl.exec:234 - 调用gz(广州银行)用时,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=251

[07/29
00:01:17] [INFO] [[B10005-15]] impl.GzClientServiceImpl.exec:234 - 调用gz(广州银行)异常,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=2510

测试结果：

[[email protected]
~]# /opt/logstash-2.3.4/bin/logstash -f useTime.conf

Settings:
Default pipeline workers: 1

Pipeline main
started

[07/29
00:01:17] [INFO] [[B10005-15]] impl.GzClientServiceImpl.exec:234 - 调用gz(广州银行)用时,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=251

{

       "message" => "[07/29
00:01:17] [INFO] [[B10005-15]] impl.GzClientServiceImpl.exec:234 - 调用gz(广州银行)用时,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=251",

      "@version" => "1",

    "@timestamp" =>
"2016-07-30T15:09:21.376Z",

          "host" =>
"0.0.0.0",

           "API" => "调用gz(广州银行)用时",

       "useTime" =>
"251"

}

[07/29
00:01:17] [INFO] [[B10005-15]] impl.GzClientServiceImpl.exec:234 - 调用gz(广州银行)异常,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=2510

{

       "message" => "[07/29
00:01:17] [INFO] [[B10005-15]] impl.GzClientServiceImpl.exec:234 - 调用gz(广州银行)异常,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=2510",

      "@version" => "1",

    "@timestamp" =>
"2016-07-30T15:09:28.885Z",

          "host" =>
"0.0.0.0",

           "API" => "调用gz(广州银行)异常",

       "useTime" =>
"2510"

}

^CSIGINT
received. Shutting down the agent. {:level=>:warn}

stopping
pipeline {:id=>"main"}

Over！！