2.2.2 多行事件编码: zjtest7-frontend:/usr/local/logstash-2.3.4/bin# ./plugin list | grep multi Ignoring ffi-1.9.13 because its extensions are not built. Try: gem pristine ffi --version 1.9.13 logstash-codec-multiline logstash-filter-multiline zjtest7-frontend:/usr/local/logstash-2.3.4/config# cat multi.comf input { stdin { codec =>multiline { pattern =>"^\[" negate=>true what=>"previous" } } } output { stdout { codec=>rubydebug{} } } /********************** zjtest7-frontend:/usr/local/logstash-2.3.4/config# ../bin/logstash -f multi.comf Settings: Default pipeline workers: 1 Pipeline main started [Aug/25/08 12:12:12] hello world 此时为了 敲回车没反应,因为\n并不匹配是设置的^\[ 正则表达式,logstash 还得等下一行数据直到匹配成功后才会输出这个事件 zjtest7-frontend:/usr/local/logstash-2.3.4/config# ../bin/logstash -f multi.comf Settings: Default pipeline workers: 1 Pipeline main started [Aug/25/08 12:12:12] hello world [Aug 9527] { "@timestamp" => "2016-08-25T06:29:31.182Z", "message" => "[Aug/25/08 12:12:12] hello world", "@version" => "1", "host" => "0.0.0.0" } zjtest7-frontend:/usr/local/logstash-2.3.4/config# ../bin/logstash -f multi.comf Settings: Default pipeline workers: 1 Pipeline main started [Aug/08/08 14:54:03] hellow world [Aug/08/09 14:54:04] hello logstash { "@timestamp" => "2016-08-25T06:33:14.623Z", "message" => "[Aug/08/08 14:54:03] hellow world", "@version" => "1", "host" => "0.0.0.0" } hello best practice hello raochelin [Aug/09/10] the end { "@timestamp" => "2016-08-25T06:34:01.344Z", "message" => "[Aug/08/09 14:54:04] hello logstash\nhello best practice\nhello raochelin", "@version" => "1", "tags" => [ [0] "multiline" ], "host" => "0.0.0.0" } 这个插件很简单,就是把当前行的数据添加到前面一行后面,直到新进的当前行匹配^\[正则为止。
logstash 处理多行
转载本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
提问和评论都可以,用心的回复会被更多人看到
评论
发布评论
相关文章
-
ELK logstash 处理多行事件
de...
elk logstash java 正则表达式 Bootstrap -
logstash处理多行日志-处理java堆栈日志
logstash处理多行日志-处理java堆栈日志一、背景二、需求三、实现思路1、分
logstash logstash多行日志 logstash堆栈处理 logstash 日志收集 elk日志处理