我正在按照此处的说明进行操作 https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html
但它没有像我期望的那样工作。
我目前有以下cloudwatch日志订阅过滤器模式:
? "UNKNOWN_TOPIC_OR_PARTITION" ? " SEVERE " ? " severe " ? " FATAL " ? " fatal " - "closing session"
我想将任何模式与“ fatal ”相匹配,同时从结果中排除“结束会话”。
但是,上面的过滤器匹配其他日志输出:
您不能使用 CloudWatch 中的事件过滤器...但可以使用 Logs Insights
CloudWatch -> CloudWatch 日志 -> 日志见解
或者
CloudWatch -> CloudWatch Logs -> 日志组 -> [您的服务日志] -> [按钮日志见解]
日志见解
因此,在您的情况下,您可以在查询框中使用此内容
fields @timestamp, @message
| sort @timestamp desc
| filter @message like /SEVERE|severe|FATAL|fatal|closing session/
现在单击运行查询,您将仅看到您想要使用该过滤器的日志。
尝试这个过滤模式:
[(w1="*UNKNOWN_TOPIC_OR_PARTITION*" || w1="*SEVERE*" || w1="*severe*" || w1="*FATAL*" || w1="*fatal*") && w1!="*closing session*"]
这一点与所有 OR 结合起来,会给你带来问题
- "closing session"
。尝试将其删除,看看其余部分是否按预期匹配。
我不知道在单个过滤器中获取所需内容的语法,但为了获得相同的结果,您可以为要匹配的每个字符串创建单独的日志过滤器。在这种情况下,那就是:
"UNKNOWN_TOPIC_OR_PARTITION" - "closing session"
" SEVERE " - "closing session"
" severe " - "closing session"
" FATAL " - "closing session"
" fatal " - "closing session"
现在您有 5 个不同的指标。您可以使用度量数学对它们进行总结,这将为您提供所需的度量。请参阅此处了解如何使用度量数学:
终于弄清楚了如何使其适用于 json 日志数据 - 我的是从我的 eks pod 生成的流畅位附加日志,这个示例非常适合我。测试数据中的xxxxxx只是我匿名化的。
我的用例是按
进行过滤用于生成云监视指标过滤器的过滤器模式
{ ($.log = "*400*" || $.log = "*500*" ) && ($.kubernetes.namespace_name = "*prod*" || $.kubernetes.namespace_name = "*stage*")}
测试示例
{"time":"2024-06-20T19:37:54.143939587Z","stream":"stdout","_p":"F","log":"INFO: xxxxxxx - \"GET /healthz HTTP/1.1\" 200 OK","kubernetes":{"pod_name":"dummy-75c4c7f78d-vv4pk","namespace_name":"dummy-dev","pod_id":"88853af3-7911-4c07-8ab9-d1a90d875242","host":"ip-xxxxxxxxxx.us-east-2.compute.internal","container_name":"dummy","docker_id":"xxxxxxxxxx","container_hash":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy@sha256:470eed44a3d65d95def5f8387f2a127f8f29eee94ed14994044093a6ff5332ef","container_image":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy:dev-build-1986d44-v1.0.0"}}
{"time":"2024-06-20T19:38:09.143560164Z","stream":"stdout","_p":"F","log":"INFO: xxxxxxxxxx:36824 - \"GET /healthz HTTP/1.1\" 400 OK","kubernetes":{"pod_name":"dummy-75c4c7f78d-vv4pk","namespace_name":"dummy-prod","pod_id":"88853af3-7911-4c07-8ab9-d1a90d875242","host":"ip-xxxxxxxxxx.us-east-2.compute.internal","container_name":"dummy","docker_id":"xxxxxxxxxx","container_hash":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy@sha256:470eed44a3d65d95def5f8387f2a127f8f29eee94ed14994044093a6ff5332ef","container_image":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy:dev-build-1986d44-v1.0.0"}}
{"time":"2024-06-20T19:38:24.143866118Z","stream":"stdout","_p":"F","log":"INFO: xxxxxxxxxx:49414 - \"GET /healthz HTTP/1.1\" 400 OK","kubernetes":{"pod_name":"dummy-75c4c7f78d-vv4pk","namespace_name":"dummy-stage","pod_id":"88853af3-7911-4c07-8ab9-d1a90d875242","host":"ip-xxxxxxxxxx.us-east-2.compute.internal","container_name":"dummy","docker_id":"xxxxxxxxxx","container_hash":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy@sha256:470eed44a3d65d95def5f8387f2a127f8f29eee94ed14994044093a6ff5332ef","container_image":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy:dev-build-1986d44-v1.0.0"}}
干杯,如果这对前来寻找示例的人有帮助,请投票。当我在寻找这个时降落在这里时将其放在这里。
提示:- ChatGpt 和文档有帮助:P