logstash filter user_agent - 客户端设备案例:
日志access.log
49.7.21.86 - - [23/May/2023:01:25:42 +0800] "GET /5162.html HTTP/1.1" 404 146 "-" "MQQBrowser/26 Mozilla/5.0 (Linux; U; Android 4.4.2; zh-cn; MB200 Build/GRJ22; CyanogenMod-7) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 (compatible; Sogou web spider/4.0; +http://www.sogou.com/docs/help/webmasters.htm#07)"
49.7.20.28 - - [23/May/2023:01:25:55 +0800] "GET /5162.html HTTP/1.1" 404 146 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
49.7.20.28 - - [23/May/2023:01:25:55 +0800] "GET /5162.html HTTP/1.1" 404 548 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
filte 内容:
[root@baimeidashu-elk113 /etc/logstash/conf.d]#cat ua.conf
input {
file {
start_position => "beginning"
path => ["/tmp/access.log"]
}
}
filter {
# 分析文本并解析提取需要的字段
grok {
# 匹配文本字段,可以引用内置的正则变量。
match => {
"message" => "%{COMMONAPACHELOG}"
}
}
# 解析日期的相关字段
date {
# 对时间进行格式化匹配并转换为ES的date类型。
match => [
# "28/May/2023:16:46:15 +0800"
"timestamp", "dd/MMM/yyyy:HH:mm:ss Z"
]
# 将转换后的结果存储在指定字段,若不指定,则默认覆盖@timestamp字段。
target => "baimei-timestamp"
}
# 分析客户端设备类型
useragent {
# 指定要分析客户端的字段
source => "message"
# 指定将分析的结果放在哪个字段中,若不指定,则放在顶级字段中。
target => "baimei-agent"
}
}
output {
elasticsearch {
hosts => ["10.0.0.111:19200","10.0.0.112:19200","10.0.0.113:19200"]
index => "baimeinginx-access-%{+yyyy.MM.dd}"
}
stdout {
codec => rubydebug
}
}
启动:
logstash -rf /etc/logstash/conf.d/ua.conf --path.data /tmp/d2
结果: