Configuration Logstash(filter:grok) 2
設定ファイルの/etc/logstash/conf.d/nginx-access_log.confにて filter設定を試してみました。
pattern 1
設定内容
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
Logstashで出力された内容
{
"message":"127.0.0.1 - - [02/Jul/2016:08:57:36 +0000] \"GET / HTTP/1.0\" 200 612 \"-\" \"ApacheBench/2.3\" \"-\"",
"@version":"1",
"@timestamp":"2016-07-20T08:57:37.213Z",
"path":"/var/log/nginx/access.log",
"host":"e0b8c7a1e2cb",
"clientip":"127.0.0.1",
"ident":"-",
"auth":"-",
"timestamp":"02/Jul/2016:08:57:36 +0000",
"verb":"GET",
"request":"/",
"httpversion":"1.0",
"response":"200",
"bytes":"612",
"referrer":"\"-\"",
"agent":"\"ApacheBench/2.3\""
}
pattern 2
設定内容
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
overwrite => [ "message" ]
}
date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
remove_field => [ "timestamp" ]
}
}
Logstashで出力された内容
{
"message":"127.0.0.1 - - [02/Jul/2016:09:08:45 +0000] \"GET / HTTP/1.0\" 200 612 \"-\" \"ApacheBench/2.3\" \"-\"",
"@version":"1",
"@timestamp":"2016-07-02T09:08:45.000Z",
"path":"/var/log/nginx/access.log",
"host":"e0b8c7a1e2cb",
"clientip":"127.0.0.1",
"ident":"-","auth":"-",
"verb":"GET",
"request":"/",
"httpversion":"1.0",
"response":"200",
"bytes":"612",
"referrer":"\"-\"",
"agent":"\"ApacheBench/2.3\""
}
timestampフィールドがなくなっていますね。
messageフィールドに対するoverwriteの影響はよくわからない。。。
