Closed wang1219 closed 5 years ago
good :+1:
You can try this example: https://github.com/tsaikd/gogstash/issues/80 And debug the pattern piece by piece in stdout output.
@tengattack can you help to update grok README to avoid the kind of issue?
😊
@wang1219 The problem of your config is using a pattern NGUSER
which is not pre-defined:
https://github.com/vjeantet/grok/blob/master/patterns/grok-patterns
- %{NGUSER:remote_user}
+ %{USER:remote_user}
You could change it to USER
.
BTW, if you need faster grok parse speed (by using C code binding regexp library: Onigmo), you can compile gogstash from source code.
A Dockerfile
example:
FROM golang:alpine
ARG version
RUN apk --update add --no-cache ca-certificates git tzdata build-base
# build onigmo
WORKDIR /src/build/
RUN git clone https://github.com/k-takata/Onigmo.git --depth=1 \
&& cd Onigmo && ./configure && make && make install
WORKDIR /go/src/github.com/tsaikd/gogstash
COPY . /go/src/github.com/tsaikd/gogstash
RUN sed -i -e 's/github.com\/vjeantet\/grok/github.com\/tengattack\/grok/' /go/src/github.com/tsaikd/gogstash/filter/grok/filtergrok.go \
&& go get -d -v ./...
RUN go build -ldflags "-X main.Version=$version"
@tsaikd No problem.
@tengattack Very thanks.
The log cannot be parsed when I use the grok filter, but I can do it in the Grok Debugger, help cat config.json
cat grok-patterns
Original log
Log Format
And Grok Gebugger