Logstash - grok 多行
Logstash - grok multiline
我尝试在 grok 过滤器中使用多行,但它无法正常工作。
我的日志是
H3|15:55:04:760|exception|not working properly
message:space exception
at line number 25
我的配置文件是
input { file {
path => "logs/test.log"
start_position => beginning
sincedb_path => "/dev/null"
}}
filter{
multiline {
pattern => "^(\s|[A-Z][a-z]).*"
what => "previous"
}
if [message] =~ /H\d+/{
grok {
match => ["message", "(?m)%{USERNAME:level}\|%{TIME:timestamp}\|%{WORD:method}\|%{GREEDYDATA:error_Message}" ]
}
}
else {
grok {
match => ["message", "(?m)%{GREEDYDATA:error_Message}" ]
}
}
}
output {elasticsearch { host => "localhost" protocol => "http" port => "9200" }}
我能够处理日志文件的第一行,但是日志文件的第二行在我想使用多行的地方不起作用
我想要的输出
{
"@timestamp" => "2014-06-19 00:00:00,000"
"path" => "logs/test.log"
"level"=>"H3"
"timestamp"=>15:55:04:760
"method"=>exception
"error_message"=>not working properly
},
{
"@timestamp" => "2014-06-19 00:00:00,000"
"path" => "logs/test.log"
"error_message" => "space exception at line 25"
}
请帮助我获得所需的输出。
您的多行配置显示,"if I find this pattern, keep it with the previous line"。
你的模式“^(\s|[A-Z][a-z]).*”表示 "either a space, or a capital letter followed by a lowercase letter, then followed by other stuff".
因此,“foo”或 "California" 会匹配,但 "H3" 不会。
我会建议一个匹配多行表达式开头的模式,并使用 'negate' 功能让所有不匹配该模式的行连接到原始行:
filter {
multiline {
pattern => "^[A-Z][0-9]\|"
negate => 'true'
what => 'previous'
}
}
}
这会将 "H3|" 行作为开头,并将所有其他行连接到它。根据行开头的值范围,您可能需要编辑正则表达式。
我尝试在 grok 过滤器中使用多行,但它无法正常工作。
我的日志是
H3|15:55:04:760|exception|not working properly
message:space exception
at line number 25
我的配置文件是
input { file {
path => "logs/test.log"
start_position => beginning
sincedb_path => "/dev/null"
}}
filter{
multiline {
pattern => "^(\s|[A-Z][a-z]).*"
what => "previous"
}
if [message] =~ /H\d+/{
grok {
match => ["message", "(?m)%{USERNAME:level}\|%{TIME:timestamp}\|%{WORD:method}\|%{GREEDYDATA:error_Message}" ]
}
}
else {
grok {
match => ["message", "(?m)%{GREEDYDATA:error_Message}" ]
}
}
}
output {elasticsearch { host => "localhost" protocol => "http" port => "9200" }}
我能够处理日志文件的第一行,但是日志文件的第二行在我想使用多行的地方不起作用
我想要的输出
{
"@timestamp" => "2014-06-19 00:00:00,000"
"path" => "logs/test.log"
"level"=>"H3"
"timestamp"=>15:55:04:760
"method"=>exception
"error_message"=>not working properly
},
{
"@timestamp" => "2014-06-19 00:00:00,000"
"path" => "logs/test.log"
"error_message" => "space exception at line 25"
}
请帮助我获得所需的输出。
您的多行配置显示,"if I find this pattern, keep it with the previous line"。
你的模式“^(\s|[A-Z][a-z]).*”表示 "either a space, or a capital letter followed by a lowercase letter, then followed by other stuff".
因此,“foo”或 "California" 会匹配,但 "H3" 不会。
我会建议一个匹配多行表达式开头的模式,并使用 'negate' 功能让所有不匹配该模式的行连接到原始行:
filter {
multiline {
pattern => "^[A-Z][0-9]\|"
negate => 'true'
what => 'previous'
}
}
}
这会将 "H3|" 行作为开头,并将所有其他行连接到它。根据行开头的值范围,您可能需要编辑正则表达式。