Grok filter and pattern in logstash

0314e7ff87c297426a9e · July 10, 2017, 1:07am

I filtered the log using the grok pattern in logstash. The result logdata is too long. I want to disconnect from the loglevel unit, what should I do?

--my logdata--

[DEBUG] [2017-07-10 09:53:35,411] pporan.maven.framework.db.QueryInterceptor.intercept(QueryInterceptor.java:58) -@@@@@@@@@ parameter @@@@@@@@@@
{curPage2=1, search_use_yn=Y, bn_sche_seq=0, pageBlockSize=5, endPage=5, _servletResponse=jeus.servlet.engine.HttpServletResponseImpl@3132707d, _servletRequest= jeus.servlet.engine.WebtobServletRequest@667737c6, version_cd=VER02, startPage=0, pageRowSize=5, bn_sche_seq_arr=[20029, 20028, 20027, 20024, 20022]}
[DEBUG] [2017-07-10 09:53:35,412] pporan.maven.framework.db.QueryInterceptor.intercept(QueryInterceptor.java:60) -@>> end QueryInterceptor.
[DEBUG] [2017-07-10 09:53:35,418] pporan.maven.framework.db.QueryInterceptor.intercept(QueryInterceptor.java:34) -@>> start QueryInterceptor.
[DEBUG] [2017-07-10 09:53:35,426] pporan.maven.framework.db.QueryInterceptor.intercept(QueryInterceptor.java:56) -@@@@@@@@@ interceptor method is : query
[DEBUG] [2017-07-10 09:53:35,426] pporan.maven.framework.db.QueryInterceptor.intercept(QueryInterceptor.java:57) -@@@@@@@@@ query @@@@@@@@@@
SELECT AA.*
, CASE WHEN AB.PLT_SEQ IS NULL THEN 'N' ELSE 'Y' END AS RES_YN
, CASE WHEN AB.PLT_CNT <= AB.RES_CNT THEN 'Y' ELSE 'N' END AS ALL_YN
FROM (
SELECT A.SEQ
, A.SEQ AS SA_SEQ
, A.NAME
, A.NAME AS SA_NAME
, A.SA_ID
, A.RES_YN
, COUNT() OVER() AS AS_CNT
FROM PLATFORM CA
WHERE A.TT_YN = 'Y'
GROUP BY AS.SEQ, AS.NAME, A.AS_ID, A.AS_YN
) AA
LEFT OUTER JOIN
(
SELECT AS_SEQ
, COUNT() OVER() AS RES_CNT
FROM SCHE_AS_MAP
WHERE SCHE_SEQ = ?
AND SCHE_KRR_CD = ?
) BB
ON AA.SEQ = BB.AS_SEQ
ORDER BY AA.SEQ

-------------------------------- LOGSTASH CONF FILE-----------------------
input {
file{
path=> ["/program/file/log/mylog2_.log"]
codec => multiline {
pattern => "(^\d+\serror)|(^.+Exception: .+)|(^\s+at .+)|(^\s+... \d+ more)|(^\sCaused by:.+)|(^\D.+)"
what => "previous"
}
}
}

filter{
date{
timezone => "Asia/Seoul"
match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss, SSS" ]
locale => "kr"
remove_field => [ "timestamp" ]
}
grok{
patterns_dir => ["../pattern"]
match => {"message" => ["[%{LOGLEVEL:loglevel}] [%{TIMESTAMP_ISO8601:timestamp}] %{PACKAGE_NAME:packageName}(%{SOURCE_INFO}) %{GREEDYDATA:logData}"]}
}
mutate {
add_field =>{
"type" => "TADMIN"
}
}
}
output {
if "_grokparsefailure" not in [tags]{
elasticsearch {
hosts => "202.3.21.93"
index => "logstash-%{+YYYY.MM.dd}"
document_type => "tadminLog"
#index => "tadminlogs"
}
stdout {
codec => rubydebug { }
}
file {
path=>["/program/logstash/logstash.log"]
}
}
}

plz help me

magnusbaeck · July 11, 2017, 8:18pm

I want to disconnect from the loglevel unit, what should I do?

I don't understand what you mean. Perhaps an example of what you want to accomplish would help?

system · August 8, 2017, 8:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.