0

我正在尝试从 nginx 日志文件中获取输出并将其发送到 logstash。

10.1.10.20 - bob [14/Feb/2014:18:57:05 +0000] “POST /main/foo.git/git-upload-pack HTTP/1.1” 200 3653189 “-” “git/1.8.3.4 (Apple Git–47)”

Grock 能够很好地找到前 3 个单词

10.1.10.20 - bob [14/Feb/2014:18:57:05 +0000]

%{IPV4:user_ip} - %{USERNAME:user_name} \[%{HTTPDATE:time_local}\]

Grok 能够很好地找到第三个和第四个单词

[14/Feb/2014:18:57:05 +0000] “POST /main/foo.git/git-upload-pack HTTP/1.1”

\[%{HTTPDATE:time_local}\] %{QUOTEDSTRING:request}

但是,当我将它们结合起来并尝试找到所有 4 个时,grok 说没有结果(使用http://grokdebug.herokuapp.com/进行测试)

10.1.10.20 - bob [14/Feb/2014:18:57:05 +0000] “POST /main/foo.git/git-upload-pack HTTP/1.1” 

%{IPV4:user_ip} - %{USERNAME:user_name} \[%{HTTPDATE:time_local}\]  %{QUOTEDSTRING:request}
#not found

任何人都知道如何在上面的示例中获取带引号的字符串?

我是 grok 的新手,所以也许我没有正确处理这个问题。

更新

有趣的是,如果我使用以下日志行然后手动输入 url 它确实有效

 bob 14/Feb/2014:18:57:05 +0000 "herp"
 #Once herp works, replace herp, with POST
 bob 14/Feb/2014:18:57:05 +0000 "POST"
 #Once POST works, keep expounding until the whole thing is in place
 autobuild 14/Feb/2014:18:57:05 +0000 "POST /main/builder.git/git-upload-pack HTTP/1.1"
4

3 回答 3

3

"POST /main/builder.git/git-upload-pack HTTP/1.1"在模式中

"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}"

于 2014-12-01T02:30:47.820 回答
0

发布到堆栈溢出的过程确定了问题。

如果你仔细看,双引号的解析方式不同

"POST

对比

“POST

手动输入双引号可以解决问题

于 2014-02-15T00:40:42.177 回答
0

您也可以将此表达式用于日志更改的情况:

"%{WORD:verb}(?:| %{URIPATHPARAM:request})(?:| HTTP/%{NUMBER:httpversion})"

它与:

"POST /main/builder.git/git-upload-pack HTTP/1.1"

或者

"POST /main/builder.git/git-upload-pack"

或者

"POST"

试试看.. ;)

于 2015-07-21T16:05:13.783 回答