1. 技术文章
  2. Logstash: configuring aggregate + elapsed filters

Logstash: configuring aggregate + elapsed filters

北战南征 提交于 2021-01-29 14:02:07

问题


I have these logs:

"03.08.2020 10:56:38","Event LClick","Type Menu","t=0","beg"
"03.08.2020 10:56:38","Event LClick","Type Menu","Detail SomeDetail","t=109","end"
"03.08.2020 10:56:40","Event LClick","t=1981","beg"
"03.08.2020 10:56:40","Event LClick","t=2090","end"
"03.08.2020 10:56:41","Event LClick","Type ToolBar","t=3026","beg"
"03.08.2020 10:56:43","Event LClick","Type ToolBar","Detail User_Desktop","t=4477","end"
"03.08.2020 10:56:44","Event FormActivate","Name Form_Name:IsaA","t=5444"
"03.08.2020 10:56:51","Event LClick","t=12543","beg"
"03.08.2020 10:56:51","Event LClick","t=12605","end"
"03.08.2020 10:56:52","Event LClick","Form ","Type Label","Name Application.for.training","t=13853","beg"
"03.08.2020 10:57:54","Event LClick","Form Application.for.training","Type Label","Name Application.for.training","t=75442","end"
"03.08.2020 10:57:54","Event FormActivate","Name List.form","t=75785"
"03.08.2020 10:58:04","Event Wheel","Form List.form","Type FormTable","Name Список","t=85769","beg"
"03.08.2020 10:58:04","Event Wheel","Form List.form","Type FormTable","Name Список","t=85769","end"
"03.08.2020 10:58:04","Event Wheel","Form List.form","Type FormTable","Name Список","t=85847","beg"
"03.08.2020 10:58:04","Event Wheel","Form List.form","Type FormTable","Name Список","t=85847","end"
"03.08.2020 10:58:04","Event Wheel","Form List.form","Type FormTable","Name Список","t=85879","beg"
"03.08.2020 10:58:04","Event Wheel","Form List.form","Type FormTable","Name Список","t=85879","end"
"03.08.2020 10:58:04","Event Wheel","Form List.form","Type FormTable","Name Список","t=85925","beg"
"03.08.2020 10:58:04","Event Wheel","Form List.form","Type FormTable","Name Список","t=85925","end"
"03.08.2020 10:58:08","Event LClick","Form List.form","Type FormTable","Name Список","t=89373","beg"
"03.08.2020 10:58:08","Event LClick","Form List.form","Type FormTable","Name Список","Detail Data","t=89451","end"
"03.08.2020 10:58:15","Event LClick","Form List.form","Type FormTable","Name Список","t=96580","beg"
"03.08.2020 10:58:15","Event LClick","Form List.form","Type FormTable","Name Список","Detail Data","t=96643","end"
"03.08.2020 10:58:15","Event LBtnDbl","Form List.form","Type FormTable","Name Список","t=96752","beg"
"03.08.2020 10:59:22","Event FormActivate","Name Another.Form","t=164004"
"03.08.2020 10:59:22","Event LBtnDbl","Form Another.Form","Type FormTable","Name Список","Detail Data","t=164004","end"
"03.08.2020 10:59:25","Event LClick","Form Another.Form","Type ToolBar","Name КоманднаяПанельПереченьРеквизитов","t=167171","beg"
"03.08.2020 10:59:26","Event LClick","Form Another.Form","Type ToolBar","Name КоманднаяПанельПереченьРеквизитов","Detail Заполнить","t=167249","end"
...

My logstash config:

input {
    beats {
        port => '5044'
    }
}
 filter {
    grok {
        patterns_dir => ['./patterns']
        match => { 'message' => '%{TIME:timestamp}(","Event\s)(?<Event>([^"]+))(","Form\s)?(?<Form>([^"]+))?(","ParentType\s)?(?<parent_type>([^"]+))?(","ParentName\s)?(?<parent_name>([^"]+))?(","Type\s)?(?<type>([^"]+))?(","Name\s)?(?<Name_of_form>([^"]+))?(","Detail\s)?(?<Detail>([^"]+))?(","t=)?(?<t>([\d]+))?(",")?(?<Status>(end|beg))?' }
        add_tag => [ '%{Status}' ]
    }
    dissect {
        mapping => {
            '[log][file][path]' => 'C:\Program Files\Filebeat\logs\%{somethingtoo}\%{something}\%{user}\%{filename}.txt'
        }
    }
    date {
        match => [ 'timestamp', 'dd.MM.yyyy HH:mm:ss' ]
    }
    elapsed {
        unique_id_field => 'Event'
        start_tag => 'beg'
        end_tag => 'end'
        new_event_on_match => false
    }

    if 'elapsed' in [tags] {
        aggregate {
            task_id => '%{Event}'
            code => 'map["duration"] = [(event.get("elapsed_time")*1000).to_i]'
            map_action => 'create'
        }
    }
    mutate {
        remove_field => ['timestamp', 'ecs', 'log', 'tags', 'message', '@version', 'something', 'somethingtoo', 'filename', 'input', 'host', 'agent', 't', 'parent_type', 'parent_name', 'type']
        rename => {'elapsed_time' => 'Event_duration'}
    }
}
output {
    elasticsearch {
        hosts => ['localhost:9200']
        index => 'test'
    }
}

Question: now I calculate the time difference between the lines using beg (the beginning of an action) and end (the end of an action). But that doesn't make much sense because it's almost always 0 seconds. How would I implement it like this: when a form field appears in the line (if 'Form' in message), consider the difference between the first appearance of a certain form and the last appearance. How can I implement this if it is not clear what to bind the end_tag to.

For the logs above, I should get the following:

  1. Some form is activated (Event FormActivate), in a separate field form name (Name Name_of_form). Then the actions of this form follow (the time of which must be counted) and then the activation of the new form and so on until the end of the file.
  2. As long as the form is the same. Move on.
  3. The last appearance of this form in a row
  4. Elapsed_time: "08/03/2020 10:58:15" - "08/03/2020 10:58:04" = 11 seconds

I would be very grateful for any help!

来源:https://stackoverflow.com/questions/63548269/logstash-configuring-aggregate-elapsed-filters

标签
ElasticSearch
logstash
elastic-stack
logstash-grok
logstash-configuration
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!