|
②logstash grok对合并后多行的处理。合并多行后续都一样,如下:
- filter {
- grok {
- match => {
- "message" => "^%{TIMESTAMP_ISO8601:InsertTime} .*- task request,.*,start time:%{TIMESTAMP_ISO8601:RequestTime}n-- Request String : {"UserName":"%{NUMBER:UserName:int}","Pwd":"(?<Pwd>.*)","DeviceType":%{NUMBER:DeviceType:int},"DeviceId":"(?<DeviceId>.*)","EquipmentNo":(?<EquipmentNo>.*),"SSID":(?<SSID>.*),"RegisterPhones":(?<RegisterPhones>.*),"AppKey":"(?<AppKey>.*)","Version":"(?<Version>.*)"} -- Endn-- Response String : {"ErrorCode":%{NUMBER:ErrorCode:int},"Success":(?<Success>[a-z]*),"ErrorMsg":(?<ErrorMsg>.*),"Result":(?<Result>.*),"WaitInterval":%{NUMBER:WaitInterval:int}} -- End"
- }
- }
- }
在filebeat中使用multiline插件(推荐):
①介绍multiline
- pattern:正则匹配从哪行合并;
- negate:true/false,匹配到pattern 部分开始合并,还是不配到的合并。
match:after/before(需自己理解)
- after:匹配到pattern 部分后合并,注意:这种情况最后一行日志不会被匹配处理;
- before:匹配到pattern 部分前合并(推荐)。
②5.5版本之后(before为例)
- filebeat.prospectors:
- - input_type: log
- paths:
- - /root/performanceTrace*
- fields:
- type: zidonghualog
- multiline.pattern: '.*"WaitInterval":.*-- End'
- multiline.negate: true
- multiline.match: before
③5.5版本之前(after为例)
- filebeat.prospectors:
- - input_type: log
- paths:
- - /root/performanceTrace*
- input_type: log
- multiline:
- pattern: '^20.*'
- negate: true
- match: after
在logstash input中使用multiline插件(没有filebeat时推荐):
①介绍multiline
- pattern:正则匹配从哪行合并;
- negate:true/false,匹配到pattern 部分开始合并,还是不配到的合并。
what:previous/next(需自己理解)
- previous:相当于filebeat 的after;
- next:相当于filebeat 的before。
②用法
- input {
- file {
- path => ["/root/logs/log2"]
- start_position => "beginning"
- codec => multiline {
- pattern => "^20.*"
- negate => true
- what => "previous"
- }
- }
- }
在logstash filter中使用multiline插件(不推荐): (编辑:晋中站长网)
【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
|
