logstash使用“|”切分日志报错:Exception caught while applying mutate filter {:exception=>"Invalid FieldReferen...

最新推荐文章于 2022-08-23 09:36:38 发布
最新推荐文章于 2022-08-23 09:36:38 发布
阅读量569 收藏
点赞数 1
文章标签: log4j2 doc log4j data mining slf4j
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/wuxun1997/article/details/115527286
版权

  如题,通过FileBeat输入的日志里有“|”分割,希望拿到“|”切分后的字段,在logstash配置文件中配置:

input{
 beats {
    port => "5044"
  }
}

filter{
    mutate {
      split => {"message"=>"|"}
    }
    
    mutate {
        add_field => {
            "helloObject" => "%{message[1]}"
        }
    }        
          
}
output {
  stdout { codec => rubydebug }
}

  跑logstash和filebeat后,报错:

D:\elk\logstash-7.9.0\bin>.\logstash -f ..\config\logstash-simple.conf
Sending Logstash logs to D:/elk/logstash-7.9.0/logs which is now configured via log4j2.properties
[2020-09-04T07:50:21,150][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"7.9.0", "jruby.version"=>"jruby 9.2.12.0 (2.5.7) 2020-07-01 db01a49ba6 Java HotSpot(TM) 64-Bit Server VM 25.102-b14 on 1.8.0_102-b14 +indy +jit [mswin32-x86_64]"}
[2020-09-04T07:50:21,545][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2020-09-04T07:50:25,367][INFO ][org.reflections.Reflections] Reflections took 62 ms to scan 1 urls, producing 22 keys and 45 values
[2020-09-04T07:50:25,656][WARN ][org.logstash.netty.SslContextBuilder] JCE Unlimited Strength Jurisdiction Policy not installed - max key length is 128 bits
[2020-09-04T07:50:28,752][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>500, "pipeline.sources"=>["D:/elk/logstash-7.9.0/config/logstash-simple.conf"], :thread=>"#<Thread:0x464291c run>"}
[2020-09-04T07:50:30,253][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>1.45}
[2020-09-04T07:50:30,294][INFO ][logstash.inputs.beats    ][main] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
[2020-09-04T07:50:30,341][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
[2020-09-04T07:50:30,568][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2020-09-04T07:50:30,661][INFO ][org.logstash.beats.Server][main][9ae67b9bba079922e3c275620c84df564808b8c801bdc106c4c8bcd0f4d79ee1] Starting server on port: 5044
[2020-09-04T07:50:31,325][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2020-09-04T07:50:37,539][WARN ][logstash.filters.mutate  ][main][a1eb5d49f96a653afa0c4411fcca0ea2eba55829612774f3236630293da944e0] Exception caught while applying mutate filter {:exception=>"Invalid FieldReference: `message[1]`"}
D:\elk\logstash-7.9.0\bin>.\logstash -f ..\config\logstash-simple.conf
Sending Logstash logs to D:/elk/logstash-7.9.0/logs which is now configured via log4j2.properties
[2020-09-04T07:50:21,150][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"7.9.0", "jruby.version"=>"jruby 9.2.12.0 (2.5.7) 2020-07-01 db01a49ba6 Java HotSpot(TM) 64-Bit Server VM 25.102-b14 on 1.8.0_102-b14 +indy +jit [mswin32-x86_64]"}
[2020-09-04T07:50:21,545][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2020-09-04T07:50:25,367][INFO ][org.reflections.Reflections] Reflections took 62 ms to scan 1 urls, producing 22 keys and 45 values
[2020-09-04T07:50:25,656][WARN ][org.logstash.netty.SslContextBuilder] JCE Unlimited Strength Jurisdiction Policy not installed - max key length is 128 bits
[2020-09-04T07:50:28,752][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>500, "pipeline.sources"=>["D:/elk/logstash-7.9.0/config/logstash-simple.conf"], :thread=>"#<Thread:0x464291c run>"}
[2020-09-04T07:50:30,253][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>1.45}
[2020-09-04T07:50:30,294][INFO ][logstash.inputs.beats    ][main] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
[2020-09-04T07:50:30,341][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
[2020-09-04T07:50:30,568][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2020-09-04T07:50:30,661][INFO ][org.logstash.beats.Server][main][9ae67b9bba079922e3c275620c84df564808b8c801bdc106c4c8bcd0f4d79ee1] Starting server on port: 5044
[2020-09-04T07:50:31,325][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2020-09-04T07:50:37,539][WARN ][logstash.filters.mutate  ][main][a1eb5d49f96a653afa0c4411fcca0ea2eba55829612774f3236630293da944e0] Exception caught while applying mutate filter {:exception=>"Invalid FieldReference: `message[1]`"}

  虽然切是切了,但想要的日志字段没有加出来:

{
           "log" => {
          "file" => {
            "path" => "D:\\wlf\\logs\\hello-2020-09-04.0.log"
        },
        "offset" => 111785
    },
           "ecs" => {
        "version" => "1.5.0"
    },
          "tags" => [
        [0] "beats_input_codec_plain_applied",
        [1] "_mutate_error"
    ],
         "input" => {
        "type" => "log"
    },
    "@timestamp" => 2020-09-03T23:48:37.101Z,
         "agent" => {
        "ephemeral_id" => "e3f854ff-d2a1-41fc-9168-ca92bd7dd715",
                "type" => "filebeat",
             "version" => "7.9.0",
            "hostname" => "wulf00",
                "name" => "wulf00",
                  "id" => "ae375dc0-d6e2-488c-be87-2544c05b1242"
    },
          "host" => {
        "name" => "wulf00"
    },
       "message" => [
        [0] "07:48:36.452 [scheduling-1] [] [] INFO  com.wlf.elasticsearchstatictis.Begin - hello",
        [1] "world."
    ],
      "@version" => "1"
}

  配置文件没问题,但添加字段那一个mutate需要给message套一层中括号:

mutate {
        add_field => {
            "helloObject" => "%{[message][1]}"
        }
}

  重新启动logstash,报错没了,message[1]也能取到了:

D:\elk\logstash-7.9.0\bin>.\logstash -f ..\config\logstash-simple.conf
Sending Logstash logs to D:/elk/logstash-7.9.0/logs which is now configured via log4j2.properties
[2020-09-04T08:20:10,122][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"7.9.0", "jruby.version"=>"jruby 9.2.12.0 (2.5.7) 2020-07-01 db01a49ba6 Java HotSpot(TM) 64-Bit Server VM 25.102-b14 on 1.8.0_102-b14 +indy +jit [mswin32-x86_64]"}
[2020-09-04T08:20:10,584][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2020-09-04T08:20:13,684][INFO ][org.reflections.Reflections] Reflections took 45 ms to scan 1 urls, producing 22 keys and 45 values
[2020-09-04T08:20:13,937][WARN ][org.logstash.netty.SslContextBuilder] JCE Unlimited Strength Jurisdiction Policy not installed - max key length is 128 bits
[2020-09-04T08:20:16,047][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>500, "pipeline.sources"=>["D:/elk/logstash-7.9.0/config/logstash-simple.conf"], :thread=>"#<Thread:0x3bb3812e run>"}
[2020-09-04T08:20:17,233][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>1.16}
[2020-09-04T08:20:17,268][INFO ][logstash.inputs.beats    ][main] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
[2020-09-04T08:20:17,326][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
[2020-09-04T08:20:17,536][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2020-09-04T08:20:17,607][INFO ][org.logstash.beats.Server][main][be332a0e557bc16ff2fcdf24fcbd3b24c16b1141269fff75b0e835137ee7698f] Starting server on port: 5044
[2020-09-04T08:20:18,205][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
{
           "host" => {
        "name" => "wulf00"
    },
            "ecs" => {
        "version" => "1.5.0"
    },
           "tags" => [
        [0] "beats_input_codec_plain_applied"
    ],
    "helloObject" => "world.",
     "@timestamp" => 2020-09-04T00:20:14.782Z,
          "agent" => {
            "hostname" => "wulf00",
        "ephemeral_id" => "e3f854ff-d2a1-41fc-9168-ca92bd7dd715",
             "version" => "7.9.0",
                  "id" => "ae375dc0-d6e2-488c-be87-2544c05b1242",
                "type" => "filebeat",
                "name" => "wulf00"
    },
        "message" => [
        [0] "08:20:11.653 [scheduling-1] [] [] INFO  com.wlf.elasticsearchstatictis.Begin - hello",
        [1] "world."
    ],
       "@version" => "1",
            "log" => {
        "offset" => 131366,
          "file" => {
            "path" => "D:\\wlf\\logs\\hello-2020-09-04.0.log"
        }
    },
          "input" => {
        "type" => "log"
    }
}
不想下火车的人
关注
  • 1
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
ELK:docker中使用logstash收集nginx日志,遇到的问题总结
qq_40673345的博客
12-12 1221
1.意外退出docker后,logstash启动错误:IllegalStateException: (SystemExit) exit root@82d3493c1c7b:~# /opt/logstash/bin/logstash -f /opt/conf/logstash.conf Thread.exclusive is deprecated, use Thread::Mutex Se...
logstash配置文件
weixin_33670786的博客
06-26 432
1. 安装 logstash 安装过程很简单,直接参照官方文档: https://www.elastic.co/guide/en/logstash/current/installing-logstash.html # rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch # vim /etc/yum.repos....
Elastic Stack安装和升级指南
幽灵 逐梦--专栏
01-29 945
概述 Elastic Stack中的产品设计为可以一起使用,并且版本可以同步,以简化安装和升级过程。完整的堆栈包括: Beats 7.5 APM Server 7.5 Elasticsearch 7.5 Elasticsearch Hadoop 7.5 Kibana 7.5 Logstash 7.5 本指南提供有关在使用多个Elastic Stack产品时进行安装和升...
Installation failed due to: '-26'
u013474571的博客
03-23 5236
Android Installation did not succeed. The application could not be installed. Installation failed due to: '-26' 报错原因: 手机里已经安装有相同包名的应用(可能会说明明没有装过这个名字的应用呀,一定要再次确认是否有重复的包名的应用,以包名为准,而不是应用名字,an...
ELK-4-Logstash安装
wj903829182的专栏
04-27 1165
ELK系列文章地址:ELK 一,Windows安装 去官网下载logstash,地址:下载地址 1,下载后解压到相应目录,eg:D:\ELK\logstash-7.0.0 2,在bin目录下建立logstash_default.conf文件,文件内容如下: input { stdin{ } } output { stdout{...
Logstash:如何处理 Logstash pipeline 错误信息
Elastic 中国社区官方博客
03-02 2182
在我们使用 Logstash 的时候经常会出现一些错误。比如当我们使用 dissect 这样的 filter 时,会出现格式不匹配从而导致错误。那么我们该如何处理这类错误呢?当 dissect 遇到错误的格式不能进行解析时,会为文档添加一个叫做_dissectfailure 的标签,并继续处理该事件: 那么我们该如何处理该类错误的信息呢? 一种比较好的办法就是通过 elasticsearch output 把他存放于另外一个索引中。我们先用如下的例子来进行实验。 dissect.conf i.
logstash-template模板:logstash.json
06-14
`logstash.json` 文件就是这样一个预定义的模板,用于规定数据的结构和字段类型,确保数据在导入时能够被正确地解析和存储。 1. **Logstash模板的作用**: - **格式化数据**:模板允许你定义输入数据的结构,包括...
最新版linux logstash-7.16.1-linux-x86_64.tar.gz
12-16
2. 数据过滤:通过grok过滤器解析日志格式,提取关键信息,如`filter { grok { match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{WORD:level}: %{GREEDYDATA:message}" } } }`。 3. 数据转发:利用...
最新版linux logstash-7.15.2-linux-x86_64.tar.gz
11-15
在`config`目录下,你可以找到默认的`logstash.yml`配置文件,用于设置全局选项。要创建一个新的配置,可以在该目录下创建一个`.conf`文件,例如`my_config.conf`,并定义输入和输出插件。 **4. 输入插件** 输入...
Logstash日志管理系统 v7.9.3
11-02
为您提供Logstash日志管理系统下载,Logstash是一个应用程序日志、事件的传输、处理、管理和搜索的平台。你可以用它来统一对应用程序日志进行收集管理,提供Web接口用于查询和统计。Logstash现在是ElasticSearch家族...
最新版windows logstash-7.17.6-windows-x86_64.zip
09-02
- 配置文件:配置文件通常位于 config/logstash.yml,用户可以根据需求调整参数,如设置日志级别、内存使用等。 - 环境变量:可能需要设置环境变量以确保 Logstash 能找到依赖库和插件。 4. **插件管理**: - ...
解决启动多个logstash的conf文件报错Logstash could not be started because there is already another instance
qq_41582883的博客
04-26 1190
1.报错信息 Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties [2021-04-26T15:01:55,983][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified [202
解决logstash报错[ERROR][logstash.config.sourceloader] No configuration found in the configured sources.
热门推荐
巨魔战将
11-07 1万+
在做产品研发环境部署是,发现一个错,记录下来,以给遇到同样问题的筒子们 报错信息: [troll@standalone logstash-6.4.3]$ bin/logstash -f data-conf/zipkin-server.conf Sending Logstash logs to /var/log/logstash which is now configured via log4j2...
Logstash could not be started because there is already another instance using the configured data ..
dev_hui 的博客
02-28 2394
一. 问题描述: 安装好 logstash-input-jdbc 插件,并且完成配置后,由于一些未知的操作,通过命令启动logstash时 [root@tlxyxx-web1 logstash-5.5.0]# ./bin/logstash -f sql_data/jdbc.conf 出现了如下异常: Sending Logstash logs to /opt/logstash-5.5...
LogStash 错误:Logstash could not be started because there is already another instance usin
500Error
07-01 7306
$ ./bin/logstash -f ./myconfig/conf.conf 错误提示: Sending Logstash logs to /usr/local/logstash/logstash-6.5.0/logs which is now configured via log4j2.properties [2018-11-20T12:23:45,931][WARN ][logstash.config.source.multilocal] Ignoring the 'pipeline..
Logstash报错Logstash - java.lang.IllegalStateException: Logstash stopped processing because of an err
冷心笑看丽美人 ~ blog
08-23 5295
logstash -e 'input { stdin {} } output { stdout {} }'报错 ,竟然是输入包含中文?可笑
Logstash 入门介绍
magic_kid_2010的专栏
09-05 1271
一、简介。 通常,Logstash 的一个配置文件含input{},filter{},output{} 三部分。其中,输入和输出是必须的元素,filter 元素是可选的。输入 元素获取数据源源数据,过滤器元素按照指定的要求修改数据,输出元素将数据写入目标。 说明: (1)Linux 安装 Logstash,请阅读博文Linux 安装 Logstash 二、测试标准输入输出。 ....
ELK报错及解决方案
何宇泽
08-19 4714
1.jdk版本问题 报错如下: future versions of Elasticsearch will require Java 11; your Java version from [/usr/local/jdk9/jdk-9.0.4] does not meet this requirement Java HotSpot(TM) 64-Bit Server VM warning: O...
LogStash 重启报错Logstash could not be started because there is already another instance using
JineD的博客
09-05 8170
$ ./bin/logstash -f ./temp/std_std.conf 错误提示: Sending Logstash logs to /usr/local/logstash/logstash-6.5.0/logs which is now configured via log4j2.properties [2018-11-20T12:23:45,931][WARN ][logstash.config.source.multilocal] Ignoring the 'pipeline..
logstash运行时报错:[logstash.filters.ruby ] Ruby exception occurred:
最新发布
04-04
这是Logstash在运行时遇到了一个Ruby异常。可能的原因包括: 1. Ruby代码中存在语法错误或逻辑错误。 2. Ruby代码中使用了未定义或不可访问的变量、方法或类。 3. Ruby插件中的输入、过滤器或输出出现了错误。 4. ...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值