用grok拆分java日志

1.假设一行日志内容如下：

[root@VM_0_92_centos opt]# cat error.log
2019-07-12 07:59:02,280[ERROR ajp-nio-17289-exec-89](cn.com.al1.component.weixin.WeixinFilter:141) filter获取用户访问出现异常 session=4289CF6DF375C0E39CFB5365B0BF3DBD.2699,url=/portal/cooperationOpen/cooperationOpenAction!continueSession.action,Referer=https://al.do2.com.cn/wxqyh/vp/modu
le/checkwork.html?agentCode=checkwork&corp_id=4w24589263c73e4999,userAgentMozilla/5.0 (Linux; Android 5.0.2; PLK-AL10 Build/HONORPLK-AL10; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.132 MQQBrowser/6.2 TBS/044405 Mobile Safari/537.36 wxwork/2.7.8 MicroMessenger/7.0.1 NetType/WIFI Language/zh

2.logstash的配置

input{
    file {
    type => "java01"
    path => "/mnt/data/logs/wxqyh_18089/log4j.log"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    codec => multiline {
      pattern => "^%{TIMESTAMP_ISO8601}"
      negate => true
      what => "previous"
    }
    start_position => "beginning"
  }
}

filter {
    grok {
        match => {
            "message" => "^%{TIMESTAMP_ISO8601}\[%{WORD:level} %{GREEDYDATA:ajp}\]%{GREEDYDATA:data}"
        }
        match => {
            "message" => "^%{TIMESTAMP_ISO8601}\[ %{WORD:level} %{GREEDYDATA:ajp}\]%{GREEDYDATA:data}"
        }
        remove_field  => "message"
    }
}
output {
   if [type] == "java01" {
       elasticsearch {
          hosts => ["10.0.0.92:9200"]
          index => "pattern5java-%{+YYY.MM.dd}"
  }
}
}

3.结果

4.重要的贪婪匹配用法

match => { "message" => "%{GREEDYDATA:Timestamp}\|%{GREEDYDATA:ThreadName}\|%{WORD:LogLevel}\|%{GREEDYDATA:TextInformation}\|%{GREEDYDATA:ClassName}" }
  }

5.参考：

https://mp.weixin.qq.com/s?__biz=MzI0MDYyMzgxNw==&mid=2247483698&idx=1&sn=8fc0c3a3d21c77dd7df9fd4b6f46e18b&chksm=e9194894de6ec182ad1a35bfd028b1b90cfae38cb86ce56f95bbd9864625a38e2ed65b55659a&mpshare=1&scene=1&srcid=0706bZLJkxrgavx6VwC9H5Zq&pass_ticket=Prw1Pqtprx7ksjVLwTRi%2F5V62NnxZ%2FLEA60%2B%2BaPIPh22jt1QLxqYZtMydBQ%2FGXqt#rd