{
             "message" => "10.10.17.1 [11/Jan/2017:13:21:23 +0800] \"GET /resources/js/toolbar.js?_=1484112094581 HTTP/1.1\" - 200 2775 \"http://10.10.17.2/\" \"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" 0.000 -",
            "@version" => "1",
          "@timestamp" => "2017-01-11T05:21:23.000Z",
                "path" => "/var/log/nginx/access.log",
                "host" => "db01",
                "type" => "nginx_access",
            "clientip" => "10.10.17.1",
                "time" => "11/Jan/2017:13:21:23 +0800",
                "verb" => "GET",
             "request" => "/resources/js/toolbar.js",
         "httpversion" => "1.1",
    "http_status_code" => "200",
               "bytes" => "2775",
        "http_referer" => "http://10.10.17.2/",
     "http_user_agent" => "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0",
       "response_time" => 0.0,
            "messager" => "nginx_access-10.10.17.1 [11/Jan/2017:13:21:23 +0800] \"GET /resources/js/toolbar.js?_=1484112094581 HTTP/1.1\" - 200 2775 \"http://10.10.17.2/\" \"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" 0.000 -"
}



{
            "@version" => "1",
          "@timestamp" => "2017-01-11T06:06:09.000Z",
                "path" => "/var/log/nginx/access.log",
                "host" => "db01",
                "type" => "nginx_access",
            "clientip" => "10.10.17.1",
                "time" => "11/Jan/2017:14:06:09 +0800",
                "verb" => "GET",
             "request" => "/resources/images/home/QR_code.jpg",
         "httpversion" => "1.1",
    "http_status_code" => "200",
               "bytes" => "52810",
        "http_referer" => "http://10.10.17.2/",
     "http_user_agent" => "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0",
       "response_time" => 0.0,
            "messager" => "nginx_access-10.10.17.1 [11/Jan/2017:14:06:09 +0800] \"GET /resources/images/home/QR_code.jpg HTTP/1.1\" - 200 52810 \"http://10.10.17.2/\" \"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" 0.000 -"
}


    }   
                mutate {
                        convert => [ "request_time", "float"]
                        add_field =>["response_time","%{request_time}"]
                        convert => [ "response_time", "float"]
                        add_field => [ "[@metadata][zabbix_key]" , "logstash-api-access" ]
                        add_field => [ "[@metadata][zabbix_host]" , "dr-mysql01" ]
                        add_field =>["messager","%{type}-%{message}"]
                        remove_field =>["request_time"]
                        remove_field =>["message"]



[elk@db01 nginx]$ cat logstash_nginx.conf 
input {
    
       file { 
                type => "wj_frontend_access" 
                path => ["/data01/applog_backup/winfae_log/wj-frontend0*access*"] 
        } 
         file {
                type => "nginx_access"
                path => ["/var/log/nginx/access.log"]
        }


 
}
filter {
    grok {
        match =>[ 
             "message","%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request}\?.* HTTP/%{NUMBER:httpversion}\" \- %{NUMBER:http_status_code} %{NUMBER:bytes} \"(?<http_referer>\S+)\" \"(?<http_user_agent>(\S+\s+)*\S+)\" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)", 
             "message" , "%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\" \- %{NUMBER:http_status_code} %{NUMBER:bytes} \"(?<http_referer>\S+)\" \"(?<http_user_agent>(\S+\s+)*\S+)\" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)",
             "message","%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} (?<http_url>\S+)\s+HTTP/%{NUMBER:httpversion}\"\s+\-\s+%{NUMBER:http_status_code}\s+%{NUMBER:bytes}\s+\"\-\"\s+\"(?<http_user_agent>(\S+))\"\s+(%{BASE16FLOAT:request_time})\s+(%{IPORHOST:http_x_forwarded_for}|-)",
             "message","%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\" \- %{NUMBER:http_status_code} %{NUMBER:bytes} \"\" \"(?<http_user_agent>(\S+\s+)*\S+)\" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)"
             
        ]
    }   
                mutate {
                        convert => [ "request_time", "float"]
                        add_field =>["response_time","%{request_time}"]
                        convert => [ "response_time", "float"]
                        add_field => [ "[@metadata][zabbix_key]" , "logstash-api-access" ]
                        add_field => [ "[@metadata][zabbix_host]" , "dr-mysql01" ]
                        add_field =>["messager","%{type}-%{message}"]
                        remove_field =>["request_time"]
                        remove_field =>["message"]
                       # remove_field =>["messager"]
                }
              date {
        match => ["time", "dd/MMM/yyyy:HH:mm:ss Z"]
    }
     
}






output {
        stdout {
                        codec => rubydebug
                } 
#        if [response_time] >= 5  {
#          zabbix {
#                zabbix_host => "[@metadata][zabbix_host]"
#                zabbix_key => "[@metadata][zabbix_key]"
#        zabbix_server_host => "192.168.32.55"
#        zabbix_server_port => "10051"
#                zabbix_value => "messager"
#        }
#          }
     if [type] == "nginx_access" { 
        redis {
                host => "127.0.0.1"
                data_type => "list"
                key => "nginx_access:redis"
                port=>"6379"
                password => "1234567"
        }
}
      else if [type] == "wj_frontend_access"{
       redis { 
                host => "127.0.0.1" 
                data_type => "list" 
                key => "wj_frontend_access:redis" 
                port=>"6379" 
                password => "1234567" 
        } 
}
}

如果你把 "message" 里所有的信息都 grok 到不同的字段了,数据实质上就相当于是重复存储了两份。
所以你可以用 remove_field 参数来删除掉 message 字段,或者用 overwrite 参数来重写默认的 message 字段,只保留最重要的部分。

重写参数的示例如下:

filter {
    grok {
        patterns_dir => "/path/to/your/own/patterns"
        match => {
            "message" => "%{SYSLOGBASE} %{DATA:message}"
        }
        overwrite => ["message"]
    }
}

无觅关联推荐,快速提升流量