标签:mutate
mutate:http://www.logstash.net/docs/1.4.2/filters/mutate
使用logstash提取oracle的alter日志的ora错误。
日志格式如下:
alter database open Errors in file d:\oracle\diag\rdbms\hxw168\hxw168\trace\hxw168_ora_6148.trc: ORA-01589: 要打开数据库则必须使用 RESETLOGS 或 NORESETLOGS 选项 ORA-1589 signalled during: alter database open... alter database open resetlogs
logstash内容:
input{
file{
codec => plain {
charset => "CP936" #windows下的编码是cp936(chcp查看)
}
type => "oracleerr"
path => "D:/logsystem/logstash/bin/test/alert_hxw168.log"
start_position => "beginning"
}
#stdin{type => "hxwtest"}
}
filter{
mutate{
#以:号分割message内容,分割后以数据方式显示。
#比如abc:efg => message[0] = abc message[1]=efg
split => ["message",":"]
}
#第一个数据的内容中ORA-xxxxx这种格式,则这条内容是ora错误。添加二个字段
#oraerr orades
if [message][0] =~ /^ORA-[0-9]{5}/ {
mutate{
add_field => {
"ORAERR" => "%{[message][0]}"
"ORADES" => "%{[message][1]}"
}
}
}
}
output{
#有ORAERR字段,则输出。
if [ORAERR]{
stdout{
codec => rubydebug
}
}
}结果:
1.
{
"message" => [
[0] "ORA-00322",
[1] " 日志 2 (用于线程 1) 不是最新副本\r"
],
"@version" => "1",
"@timestamp" => "2014-12-12T15:50:53.790Z",
"type" => "oracleerr",
"host" => "huangwen",
"path" => "D:/logsystem/logstash/bin/test/alert_hxw168.log",
"ORAERR" => "ORA-00322",
"ORADES" => " 日志 2 (用于线程 1) 不是最新副本\r"
}
2.
{
"message" => [
[0] "ORA-00312",
[1] " 联机日志 2 线程 1",
[2] " ‘D",
[3] "\\ORACLE\\ORADATA\\HXW168\\REDO02.LOG‘\r"
],
"@version" => "1",
"@timestamp" => "2014-12-12T15:50:53.790Z",
"type" => "oracleerr",
"host" => "huangwen",
"path" => "D:/logsystem/logstash/bin/test/alert_hxw168.log",
"ORAERR" => "ORA-00312",
"ORADES" => " 联机日志 2 线程 1"
}本文出自 “尽管错,让我错到死!” 博客,请务必保留此出处http://hxw168.blog.51cto.com/8718136/1589498
标签:mutate
原文地址:http://hxw168.blog.51cto.com/8718136/1589498
