OpenSearch Ingest Pipeline Grok 日志解析与索引实战

---

title: OpenSearch Ingest Pipeline Grok 日志解析与索引实战

keywords: ingest pipeline, grok, simulate, processors, _bulk, index

description: 定义 Ingest Pipeline 使用 Grok 解析日志行并落盘索引，通过模拟与别名管理提升数据接入质量。

categories:

• 文章资讯
• 技术教程

---

创建 Grok 解析流水线：

PUT _ingest/pipeline/logs_grok
{
  "description": "parse nginx access log",
  "processors": [
    {
      "grok": {
        "field": "message",
        "patterns": ["%{IPORHOST:client} - - \[%{HTTPDATE:time}\] \"%{WORD:method} %{URIPATHPARAM:uri} HTTP/%{NUMBER:http_version}\" %{NUMBER:status} %{NUMBER:bytes}"]
      }
    },
    { "remove": { "field": "message" } }
  ]
}

模拟解析：

POST _ingest/pipeline/logs_grok/_simulate
{
  "docs": [
    { "_source": { "message": "127.0.0.1 - - [10/Oct/2025:13:55:36 +0000] \"GET /index.html HTTP/1.1\" 200 1234" } }
  ]
}

索引写入（使用流水线）：

POST logs-access/_doc?pipeline=logs_grok
{
  "message": "127.0.0.1 - - [10/Oct/2025:13:55:36 +0000] \"GET /index.html HTTP/1.1\" 200 1234"
}