logstash 处理各种时间格式

tomcat access日志:

{

            "@version" => "1",

          "@timestamp" => "2016-10-22T12:58:07.000Z",

                "path" => "/data01/applog_backup/zjzc_log/zj-api-access01.2016-10-22",

                "host" => "dr-mysql01.zjcap.com",

                "type" => "zj_api_access",

            "clientip" => "10.252.142.174",

                "time" => "22/Oct/2016:20:58:07 +0800",

                "verb" => "GET",

                 "api" => "/api/validate/code/send",

         "httpversion" => "1.1",

    "http_status_code" => "200",

               "bytes" => "52",

            "remoteip" => "115.51.148.47",

       "response_time" => 0.015,

            "messager" => "zj_api_access- 10.252.142.174 - - [22/Oct/2016:20:58:07 +0800] \"GET /api/validate/code/send?mobilePhone=15090308333&messageType=1&_=1454297673274 HTTP/1.1\" 200 52 0.015 115.51.148.47"

}

"message" , "\s*%{IPORHOST:clientip}\s+\-\s+\-\s+\[%{HTTPDATE:time}\]\s+\"%{WORD:verb}\s+(?<api>(\S+))\?.*\s+HTTP/%{NUMBER:httpversion}\"\s+%{NUMBER:http_status_code}\s+%{NUMBER:bytes}\s+(%{BASE16FLOAT:request_time})\s+%{IPORHOST:remoteip}",

"message" ,"\s*%{IPORHOST:clientip}\s+\-\s+\-\s+\[%{HTTPDATE:time}\]\s+\"%{WORD:verb}\s+(?<api>(\S+))\s+HTTP/%{NUMBER:httpversion}\"\s+%{NUMBER:http_status_code}\s+%{NUMBER:bytes}\s+(%{BASE16FLOAT:request_time})\s+%{IPORHOST:remoteip}",

"message" ,"\s*%{IPORHOST:clientip}\s+\-\s+\-\s+\[%{HTTPDATE:time}\]\s+\"%{WORD:verb}\s+(?<api>(\S+))\s+HTTP/%{NUMBER:httpversion}\"\s+%{NUMBER:http_status_code}\s+\-\s+(%{BASE16FLOAT:request_time})\s+%{IPORHOST:remoteip}",

"message","\s*%{IPORHOST:clientip}\s+\-\s+\-\s+\[%{HTTPDATE:time}\]\s+\"%{WORD:verb}\s+(?<api>(\S+))\s+HTTP/%{NUMBER:httpversion}\"\s+%{NUMBER:http_status_code}\s+\-\s+(%{BASE16FLOAT:request_time})\s+(%{IPORHOST:remoteip}|-)"

tomcat catalina日志；

{

    "@timestamp" => "2016-10-22T12:59:22.877Z",

      "@version" => "1",

          "path" => "/data01/applog_backup/zjzc_log/zj-api02-catalina.out.2016-10-22",

          "host" => "dr-mysql01.zjcap.com",

          "type" => "zj_api",

      "messager" => "zj_api- 2016-10-22 20:59:22,877 INFO com.zjzc.interceptor.ClientAuthInterceptor - authInfo servletPath=/validate/code/send,clientSn=null,access=true",

          "time" => "2016-10-22 20:59:22,877",

         "Level" => "INFO"

}

filter {

    grok {

        match => [ "message","\s*%{TIMESTAMP_ISO8601:time}\s+(?<Level>(\S+)).*"]

     }

     date {

        match => ["time", "yyyy-MM-dd HH:mm:ss,SSS"]

    }

     mutate {

       remove_field =>["message"]

        }

}

nginx access 日志；

{

                 "message" => " 10.171.246.184 [22/Oct/2016:21:00:40 +0800] \"GET /resources/images/icon/icon_phone_gray.273e583f.png HTTP/1.1\" - 200 352 \"https://www.zjcap.cn/resources/css/base.css?06212016\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36\" 0.000 115.236.160.82",

                "@version" => "1",

              "@timestamp" => "2016-10-22T13:00:40.000Z",

                    "path" => "/data01/applog_backup/zjzc_log/zj-frontend01-access.2016-10-22",

                    "host" => "dr-mysql01.zjcap.com",

                    "type" => "zj_frontend_access",

                "clientip" => "10.171.246.184",

                    "time" => "22/Oct/2016:21:00:40 +0800",

                    "verb" => "GET",

                 "request" => "/resources/images/icon/icon_phone_gray.273e583f.png",

             "httpversion" => "1.1",

        "http_status_code" => "200",

                   "bytes" => "352",

            "http_referer" => "https://www.zjcap.cn/resources/css/base.css?06212016",

         "http_user_agent" => "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36",

    "http_x_forwarded_for" => "115.236.160.82",

                   "geoip" => {

                      "ip" => "115.236.160.82",

           "country_code2" => "CN",

           "country_code3" => "CHN",

            "country_name" => "China",

          "continent_code" => "AS",

             "region_name" => "02",

               "city_name" => "Hangzhou",

                "latitude" => 30.293599999999998,

               "longitude" => 120.16140000000001,

                "timezone" => "Asia/Shanghai",

        "real_region_name" => "Zhejiang",

                "location" => [

            [0] 120.16140000000001,

            [1] 30.293599999999998

        ],

             "coordinates" => [

            [0] 120.16140000000001,

            [1] 30.293599999999998

        ]

    },

           "response_time" => 0.0,

                "messager" => "zj_frontend_access 10.171.246.184 [22/Oct/2016:21:00:40 +0800] \"GET /resources/images/icon/icon_phone_gray.273e583f.png HTTP/1.1\" - 200 352 \"https://www.zjcap.cn/resources/css/base.css?06212016\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36\" 0.000 115.236.160.82"

filter {

    grok {

        match =>[

             "message","%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request}\?.* HTTP/%{NUMBER:httpversion}\" \- %{NUMBER:http_status_code} %{NUMBER:bytes} \"(?<http_referer>\S+)\" \"(?<http_user_agent>(\S+\s+)*\S+)\" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)",

             "message" , "%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\" \- %{NUMBER:http_status_code} %{NUMBER:bytes} \"(?<http_referer>\S+)\" \"(?<http_user_agent>(\S+\s+)*\S+)\" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)",

             "message","%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} (?<http_url>\S+)\s+HTTP/%{NUMBER:httpversion}\"\s+\-\s+%{NUMBER:http_status_code}\s+%{NUMBER:bytes}\s+\"\-\"\s+\"(?<http_user_agent>(\S+))\"\s+(%{BASE16FLOAT:request_time})\s+(%{IPORHOST:http_x_forwarded_for}|-)",

             "message","%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\" \- %{NUMBER:http_status_code} %{NUMBER:bytes} \"\" \"(?<http_user_agent>(\S+\s+)*\S+)\" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)"

        ]

    }   

nginx error 日志；

         "message" => " 2016/10/22 21:00:32 [error] 12890#0: *98081 open() \"/var/www/zjzc-web-frontEnd/favicon.ico\" failed (2: No such file or directory), client: 10.171.246.184, server: localhost, request: \"GET /favicon.ico HTTP/1.1\", host: \"www.zjcap.cn\"",

        "@version" => "1",

      "@timestamp" => "2016-10-22T13:00:32.000Z",

            "path" => "/data01/applog_backup/zjzc_log/zj-frontend01-error.2016-10-22",

            "host" => "dr-mysql01.zjcap.com",

            "type" => "zj_frontend_error",

            "time" => "2016/10/22 21:00:32",

        "severity" => "error",

             "pid" => "12890",

    "errormessage" => "*98081 open() \"/var/www/zjzc-web-frontEnd/favicon.ico\" failed (2: No such file or directory)",

     "remote_addr" => "10.171.246.184",

          "server" => "localhost",

         "request" => "\"GET /favicon.ico HTTP/1.1\"",

    "request_host" => "\"www.zjcap.cn\""

}

filter {

        grok {

            match => [ "message" , "(?<time>%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY}[- ]%{TIME}) \[%{LOGLEVEL:severity}\] %{POSINT:pid}#%{NUMBER}: %{GREEDYDATA:errormessage}(?:, client: (?<remote_addr>%{IP}|%{HOSTNAME}))(?:, server: %{IPORHOST:server}?)(?:, request: %{QS:request})?(?:, upstream: (?<upstream>\"%{URI}\"|%{QS}))?(?:, host: %{QS:request_host})?(?:, referrer: \"%{URI:referrer}\")?"]

        }

         date {

        match => ["time", "yyyy/MM/dd HH:mm:ss"]

    }

}

logstash 处理各种时间格式的更多相关文章

logstash关于date时间处理的几种方式总结
1.第一种,直接在配置文件中自定义时间格式这是tomcat配置文件中的一段日志时间配置,按照这样的配置,那么输出的日志是这样子的: 然后你继续在logstash中这样子配置此时logstash就不 ...
elasticsearch中保存时间格式
利用logstash从文档中导入数据到es中,若未事先设定数据格式,有可能存储时间并未保存为date格式而是text格式. 时间若保存为text,则在会以字符串数组格式存储在es中,是乱序,不好查询. ...
NSDateFormatter 时间格式转换
NSString *strDate = @“Wed Apr ::”; NSDateFormatter *dateFomatter =[[NSDateFormatter alloc] init]; [d ...
时间格式转换—将后台返回的/Date(1448954018000)/格式转换为正常的时间格式
用JS实现方法: function ChangeDateFormat(cellval) { )); < ? ) : date.getMonth() + ; ? " + date.get ...
Newtonsoft.Json 序列化和反序列化时间格式【转】
1.JSON序列化 string JsonStr= JsonConvert.SerializeObject(Entity); eg: A a=new A(); a.Name="Elain ...
Spring mvc时间格式处理
spring mvc中,如果时间格式是yyyy-MM-dd,传入后台会报错,要增加一些配置才可以. 1.修改spring-mvc.xml,增加org.springframework.format.su ...
db2 日期时间格式
db2日期和时间常用汇总 1.db2可以通过SYSIBM.SYSDUMMY1.SYSIBM.DUAL获取寄存器中的值,也可以通过VALUES关键字获取寄存器中的值. SELECT 'HELLO DB2 ...
JavaScriptSerializer 序列化json 时间格式
利用JavaScriptSerializer 序列化json 时间格式,得到的DateTime值值显示为“/Date(700000+0500)/”形式的JSON字符串,显然要进行转换 1.利用字符串直 ...
sqlserver 时间格式函数详细
一.时间函数在使用存储过程,sql函数的时候,会遇到一些对时间的处理.比如时间的获取与加减.这里就用到了sql自带的时间函数.下面我列出这些函数,方便日后记忆,使用. --getdate 获取当前时 ...

随机推荐

android 28 SimpleAdapter
监听器返回fasle,则事件还会分发给其他监听器. SimpleAdapter是BaseAdapter的子类,对适配器进行了简化,数据的格式是List,List的元素必须是Map, public Si ...
TCP 函数
[root@localhost tt]# man listen LISTEN() Linux Programmer’s Manual LISTEN() NAME listen - listen for ...
CentOS 6.3 源码安装LAMP(Linux+Apache+Mysql+Php)环境
一.简介什么是LAMP LAMP是一种Web网络应用和开发环境,是Linux, Apache, MySQL, Php/Perl的缩写,每一个字母代表了一个组件,每个组件就其本身而>言都是在它所 ...
Visual Studio 调试技巧（二）-- 为中断设置条件
今天尽是干货.我们来讨论如何为中断设置条件吧. 就像习大大讲的精确扶贫一样,如果我们能很精确地,仅在需要的时候把断点命中,以查看这个时候的程序数据,我们就能显著地提高 Debug 的效率.为断点设置条 ...
[转] What is the point of redux when using react?
As I am sure you have heard a bunch of times, by now, React is the V in MVC. I think you can think o ...
Java 国际化语言切换
Java国际化我们使用java.lang.Locale来构造Java国际化的情境. java.lang.Locale代表特定的地理.政治和文化.需要Locale来执行其任务的操作叫语言环境敏感的 ...
Java设计模式03：常用设计模式之单例模式（创建型模式）
1. Java之单例模式(Singleton Pattern ) 单例模式是一种常见的设计模式,单例模式分三种:懒汉式单例.饿汉式单例.登记式单例三种. 单例模式有一下特点: 1.单例类只能有一个实 ...
9.21 noip模拟试题
Problem 1 护花(flower.cpp/c/pas) [题目描述] 约翰留下他的N(N<=100000)只奶牛上山采木．他离开的时候,她们像往常一样悠闲地在草场里吃草．可是,当他回来的时 ...
关于NetworkInfo对象的isConnected()与isAvailable()
public class MainActivity extends Activity{ /** Called when the activity is first created. */ ...
FluentNHibernate当数据库设置默认值时，使用插入操作，导致默认值没有写入问题
需要再映射属性字段增加Not.Insert() Map(x => x.Provrince, "PROVRINCE").Not.Insert(); Map(x => x. ...

logstash 处理各种时间格式

logstash 处理各种时间格式的更多相关文章

随机推荐

热门专题