"message" => " 10.171.246.184 [11/Sep/2016:14:42:53 +0800] \"GET /wechat/home.html?useragent=android_h5_zjcap&apiver=2 HTTP/1.1\" - 200 11601 \"-\" \"okhttp/2.6.0\" 0.001 182.239.100.236",
"@version" => "1",
"@timestamp" => "2016-09-11T06:43:14.948Z",
"path" => "/data01/applog_backup/zjzc_log/zj-frontend01-access.2016-09-11",
"host" => "dr-mysql01.zjcap.com",
"type" => "zj_frontend_access",
"clientip" => "10.171.246.184",
"time" => "11/Sep/2016:14:42:53 +0800",
"verb" => "GET",
"request" => "/wechat/home.html",
"httpversion" => "1.1",
"http_status_code" => "200",
"bytes" => "11601",
"http_referer" => "-",
"http_user_agent" => "okhttp/2.6.0",
"request_time" => 0.001,
"http_x_forwarded_for" => "182.239.100.236",
"geoip" => {
"ip" => "182.239.100.236",
"country_code2" => "HK",
"country_code3" => "HKG",
"country_name" => "Hong Kong",
"continent_code" => "AS",
"region_name" => "00",
"city_name" => "Kwai Chung",
"latitude" => 22.349999999999994,
"longitude" => 114.13330000000002,
"timezone" => "Asia/Hong_Kong",
"location" => [
[0] 114.13330000000002,
[1] 22.349999999999994
],
"coordinates" => [
[0] 114.13330000000002,
[1] 22.349999999999994
]
}
}
filter {
grok {
match =>[
"message","%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request}\?.* HTTP/%{NUMBER:httpversion}\" \- %{NUMBER:http_status_code} %{NUMBER:bytes} \"(?<http_referer>\S+)\" \"(?<http_user_agent>(\S+\s+)*\S+)\" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)",
"message" , "%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\" \- %{NUMBER:http_status_code} %{NUMBER:bytes} \"(?<http_referer>\S+)\" \"(?<http_user_agent>(\S+\s+)*\S+)\" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)"
]
}
geoip {
source => "http_x_forwarded_for"
target => "geoip"
database => "/usr/local/logstash-2.3.4/etc/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
convert => [ "request_time", "float"]
add_field =>["[geoip][request_time]","%{request_time}"]
}
}
"message" => " 10.252.142.174 [11/Sep/2016:14:45:24 +0800] \"GET /wechat/images/about/lss.7dcc3a4c.png HTTP/1.1\" - 200 5147 \"https://www.zjcap.cn/wechat/safe.html?useragent=android_h5_zjcap\" \"Mozilla/5.0 (Linux; Android 6.0; HUAWEI NXT-L29 Build/HUAWEINXT-L29; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Mobile Safari/537.36 android_h5_zjcap\" 0.000 182.239.100.236",
"@version" => "1",
"@timestamp" => "2016-09-11T06:47:02.315Z",
"path" => "/data01/applog_backup/zjzc_log/zj-frontend02-access.2016-09-11",
"host" => "dr-mysql01.zjcap.com",
"type" => "zj_frontend_access",
"clientip" => "10.252.142.174",
"time" => "11/Sep/2016:14:45:24 +0800",
"verb" => "GET",
"request" => "/wechat/images/about/lss.7dcc3a4c.png",
"httpversion" => "1.1",
"http_status_code" => "200",
"bytes" => "5147",
"http_referer" => "https://www.zjcap.cn/wechat/safe.html?useragent=android_h5_zjcap",
"http_user_agent" => "Mozilla/5.0 (Linux; Android 6.0; HUAWEI NXT-L29 Build/HUAWEINXT-L29; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Mobile Safari/537.36 android_h5_zjcap",
"request_time" => 0.0,
"http_x_forwarded_for" => "182.239.100.236",
"geoip" => {
"ip" => "182.239.100.236",
"country_code2" => "HK",
"country_code3" => "HKG",
"country_name" => "Hong Kong",
"continent_code" => "AS",
"region_name" => "00",
"city_name" => "Kwai Chung",
"latitude" => 22.349999999999994,
"longitude" => 114.13330000000002,
"timezone" => "Asia/Hong_Kong",
"location" => [
[0] 114.13330000000002,
[1] 22.349999999999994
],
"coordinates" => [
[0] 114.13330000000002,
[1] 22.349999999999994
],
"request_time" => 0.0
}
}
给 geoip 添加一列,add_field =>["[geoip][request_time]","%{request_time}"]
