다음은 url, param, error 필드 구조를 갖는 uri 데이터. 빈 값을 가진 param 필드가 눈에 띈다.
[2022-12-07T18:11:29,660][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}{ "url" => "/index.html"}{ "param" => "", "error" => "|107|80040e07|nvarchar", "url" => "/view.asp"}{ "param" => "id=bbs", "error" => "-|ASP_0147|500_Server_Error", "url" => "/bbs.php"}
if [param] == "" { mutate {remove_field => "param"}}
[2022-12-07T18:12:23,701][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}{ "url" => "/index.html"}{ "param" => "id=bbs", "error" => "-|ASP_0147|500_Server_Error", "url" => "/bbs.php"}{ "error" => "|107|80040e07|nvarchar", "url" => "/view.asp"}
비어 있는 param 필드 지운 김에 값이 있는 param은 길이 측정 전처리 추가.
if [param] == "" { mutate {remove_field => "param"}} else { ruby {code => "event.set('param_len', event.get('param').length)"}}
[2022-12-07T18:14:05,728][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}{ "param" => "id=bbs", "error" => "-|ASP_0147|500_Server_Error", "param_len" => 6, "url" => "/bbs.php"}[2022-12-07T18:14:05,851][ERROR][logstash.filters.ruby ][main][568bfdebe435b4898f6032f104b952228043a6bdd51c819c7b53ace73e6500e1] Ruby exception occurred: undefined method `length' for nil:NilClass {:class=>"NoMethodError", :backtrace=>["(ruby filter code):2:in `block in filter_method'", "D:/ELK/logstash-8.5.0/vendor/bundle/jruby/2.6.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:96:in `inline_script'", "D:/ELK/logstash-8.5.0/vendor/bundle/jruby/2.6.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:89:in `filter'", "D:/ELK/logstash-8.5.0/logstash-core/lib/logstash/filters/base.rb:159:in `do_filter'", "D:/ELK/logstash-8.5.0/logstash-core/lib/logstash/filters/base.rb:178:in `block in multi_filter'", "org/jruby/RubyArray.java:1865:in `each'", "D:/ELK/logstash-8.5.0/logstash-core/lib/logstash/filters/base.rb:175:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in `multi_filter'", "D:/ELK/logstash-8.5.0/logstash-core/lib/logstash/java_pipeline.rb:301:in `block in start_workers'"]}{ "error" => "|107|80040e07|nvarchar", "url" => "/view.asp"}{ "tags" => [ [0] "_rubyexception" ], "url" => "/index.html"}
param 필드가 존재할 때는 문제가 없는데, 해당 필드가 없으면 에러가 발생한다. 해당 필드가 존재할 때만 작업하도록 조건 추가.
if [param] { if [param] == "" { mutate {remove_field => "param"} } else { ruby {code => "event.set('param_len', event.get('param').length)"} }}
[2022-12-07T18:18:20,721][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}{ "param" => "", "error" => "|107|80040e07|nvarchar", "url" => "/view.asp"}{ "param" => "id=bbs", "error" => "-|ASP_0147|500_Server_Error", "param_len" => 6, "url" => "/bbs.php"}{ "url" => "/index.html"}
에러는 사라졌는데 대신 빈 값을 가진 param 필드가 지워지지 않는다. 조건을 바꿔봤다.
if ![param] { mutate {remove_field => "param"}} else { ruby {code => "event.set('param_len', event.get('param').length)"}}
[2022-12-07T18:20:44,694][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}{ "url" => "/index.html"}{ "error" => "|107|80040e07|nvarchar", "url" => "/view.asp"}{ "param" => "id=bbs", "error" => "-|ASP_0147|500_Server_Error", "param_len" => 6, "url" => "/bbs.php"}
로그스태시는 빈 값을 가진 필드를 null 필드로 인식하는 건가?
관련 글
댓글 없음:
댓글 쓰기