grok 添加字段 

filter {
    grok {
        match =>[ 
             "message","%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request}\?.* HTTP/%{NUMBER:httpversion}\" \- %{NUMBER:http_status_code} %{NUMBER:bytes} \"(?

<http_referer>\S+)\" \"(?<http_user_agent>(\S+\s+)*\S+)\" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)", 
             "message" , "%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\" \- %{NUMBER:http_status_code} %{NUMBER:bytes} \"(?

<http_referer>\S+)\" \"(?<http_user_agent>(\S+\s+)*\S+)\" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)"
             
        ]
    }   
        geoip {
                        source => "http_x_forwarded_for"
                        target => "geoip"
                        database => "/usr/local/logstash-2.3.4/etc/GeoLiteCity.dat"
                        add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
                        add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
                }
                mutate {
                        convert => [ "[geoip][coordinates]", "float"]
                }
     
}



/*******************

zjtest7-frontend:/usr/local/logstash-2.3.4/config# cat geoip.conf
input {stdin {} }

filter {
  geoip {
   source =>"message"
 }
} 


output {
      stdout {
               codec => rubydebug{}
                } 
}


zjtest7-frontend:/usr/local/logstash-2.3.4/config# ../bin/logstash -f geoip.conf
Settings: Default pipeline workers: 1
Pipeline main started
202.101.172.35
{
       "message" => "202.101.172.35",
      "@version" => "1",
    "@timestamp" => "2016-09-11T02:54:11.116Z",
          "host" => "0.0.0.0",
         "geoip" => {
                    "ip" => "202.101.172.35",
         "country_code2" => "CN",
         "country_code3" => "CHN",
          "country_name" => "China",
        "continent_code" => "AS",
              "latitude" => 35.0,
             "longitude" => 105.0,
              "location" => [
            [0] 105.0,
            [1] 35.0
        ]
    }
}


/*******************添加字段
zjtest7-frontend:/usr/local/logstash-2.3.4/config# cat geoip.conf
input {stdin {} }

filter {
  geoip {
   source =>"message"
  add_field => [ "[geoip][scantest]", "%{[geoip][location][0]}" ]
 }
} 


output {
      stdout {
               codec => rubydebug{}
                } 
}

zjtest7-frontend:/usr/local/logstash-2.3.4/config# ../bin/logstash -f geoip.conf
Settings: Default pipeline workers: 1
Pipeline main started
202.101.172.35
{
       "message" => "202.101.172.35",
      "@version" => "1",
    "@timestamp" => "2016-09-11T02:57:07.832Z",
          "host" => "0.0.0.0",
         "geoip" => {
                    "ip" => "202.101.172.35",
         "country_code2" => "CN",
         "country_code3" => "CHN",
          "country_name" => "China",
        "continent_code" => "AS",
              "latitude" => 35.0,
             "longitude" => 105.0,
              "location" => [
            [0] 105.0,
            [1] 35.0
        ],
              "scantest" => 105.0
    }
}

posted @ 2016-09-11 11:01  czcb  阅读(411)  评论(0编辑  收藏  举报