我正在尝试将 IIS 日志中的日期+时间字段合并到 EventTime 字段中,以便进行 logstash 消化。这是我的 nxlog.conf 文件:
<Input iis1>
#drop comment lines, join the date+time fields into an EventTime field, convert to json
Module im_file
File 'C:\inetpub\logs\LogFiles\W3SVC2\u_ex*.log'
ReadFromLast TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
to_json (); \
}
</Input>
这是我收到的错误:
2013-07-22 06:11:29 ERROR if-else failed at line 51, character 391 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 51, character 228 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; invalid modifier: '-'
我不确定我还能如何处理日期+时间字段。欢迎任何替代方案或建议。谢谢!
答案1
你可能有一个整数在里面字段类型你的w3cxm_csv 模块实例。遗憾的是,它无法处理破折号“-”,无法将其解析为整数。
您应该将 UndefValue 添加到您的 CSV 选项中,以便它知道破折号表示没有数据:
<Extension w3c>
Module xm_csv
Fields $date $time $s-sitename $s-computername $s-ip $cs-method $cs-uri-stem $cs-uri-query $s-port $cs-username $c-ip $cs-version $cs-user-agent $cs-cookie $cs-referer $cs-host $sc-status $sc-substatus $sc-win32-status $sc-bytes $cs-bytes $time-taken
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>