我有一个具有这种结构的日志消息:
"message" => "{
"@timestamp":"201856T12:54:33.347+02:00",
"thread":"main",
"logger_name":"org.elasticsearch.bootstrap",
"level":"WARN",
"message":"JNA not found. native methods will be disabled.",
"stack_trace": "java.lang.ClassNotFoundException: ...
}
如您所见,消息内部有一个 stack_trace 字段,但控件
if [message][stack_trace] {
mutate { add_tag => ["EXCEPTION"] }
}
不工作
如何检查“消息”是否包含“stack_trace”字段?
其他信息:消息是通过logstash-logback-encoder生成的,如下:
<appender name="STASH" class="net.logstash.logback.appender.LogstashTcpSocketAppender">
<destination>localhost:5000</destination>
<encoder class="net.logstash.logback.encoder.LoggingEventCompositeJsonEncoder">
<providers>
<timestamp>
<timeZone>Europe/Berlin</timeZone>
</timestamp>
<callerData>
<classFieldName>classname</classFieldName>
<methodFieldName>method</methodFieldName>
<fileFieldName>file</fileFieldName>
<lineFieldName>line</lineFieldName>
</callerData>
<threadName>
<fieldName>thread</fieldName>
</threadName>
<loggerName />
<logLevel />
<message />
<stackTrace />
</providers>
</encoder>
</appender>
这是logstash输入管道的内容:
input {
tcp {
port => 5000
}
}
filter {
grok {
match => { "message" => "LAT: %{NUMBER:LAT:float}, LON: %{NUMBER:LON:float}"}
match => { "message" => "file %{WORD:TIPOFILE} elaborato" }
match => { "message" => "Pubblicazione file %{WORD:PUB_FILENAME} sulla coda %{WORD:DEST_QUEUE} terminata" }
}
mutate {
rename => { "TIPOFILE" => "[filename]" }
rename => { "LAT" => "[location][latitude]" }
rename => { "LON" => "[location][longitude]" }
rename => { "DEST_QUEUE" => "[destQueue]" }
rename => { "PUB_FILENAME" => "[nomeFilePubbl]" }
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => "elasticsearch:9200"
}
}