- elasticsearch/
elasticsearch 多行编解码器错误?
elasticsearch 多行编解码器错误?
当我解析多行编解码器的logs on TIMESTAMP字段时,它显示了方括号中时间戳字段的错误输出 配置:
input {
file {
path => "D:\logstash\logstash-2.4.0\bin\slowlogs.txt"
start_position => "beginning"
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601} "
negate => true
what => previous
}
}
}
output {
stdout { codec => rubydebug }
}
{
"@timestamp" => "2017-05-23T11:19:10.635Z",
"message" => "[2015-08-24 11:49:14,389] [INFO ][env
] [Letha] using [1] data paths, mounts [[/\r\n(/dev/disk1)]], net usable_space [
34.5gb], net total_space [118.9gb], types [hfs]\r\n[2015-08-24 11:49:14,389] [IN
FO ][env ] [Letha] using [1] data paths, mounts [[/\r\n(/de
v/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs]\r\
n[2015-08-24 11:49:14,389] [INFO ][env ] [Letha] using [1]
data paths, mounts [[/\r\n(/dev/disk1)]], net usable_space [34.5gb], net total_s
pace [118.9gb], types [hfs]\r\n\r\n\r",
"@version" => "1",
"tags" => [
[0] "multiline"
],
"path" => "D:\\logstash\\logstash-2.4.0\\bin\\slowlogs.txt",
"host" => "PC326815"
}
2015-08-24 11:49:14,389 [INFO ][env ] [Letha] using [1] data paths, mounts [[/
(/dev/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs]
2015-08-24 11:49:14,389 [INFO ][env ] [Letha] using [1] data paths, mounts [[/
(/dev/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs]
2015-08-24 11:49:14,389 [INFO ][env ] [Letha] using [1] data paths, mounts [[/
(/dev/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs]
{
"@timestamp" => "2017-05-23T11:25:48.075Z",
"message" => "2015-08-24 11:49:14,389 [INFO ][env ]
[Letha] using [1] data paths, mounts [[/\r\n(/dev/disk1)]], net usable_space [3
.5gb], net total_space [118.9gb], types [hfs]\r",
"@version" => "1",
"tags" => [
[0] "multiline"
],
"path" => "D:\\logstash\\logstash-2.4.0\\bin\\slowlogs.txt",
"host" => "PC326815"
}
{
"@timestamp" => "2017-05-23T11:25:48.278Z",
"message" => "2015-08-24 11:49:14,389 [INFO ][env ]
[Letha] using [1] data paths, mounts [[/\r\n(/dev/disk1)]], net usable_space [3
.5gb], net total_space [118.9gb], types [hfs]\r",
"@version" => "1",
"tags" => [
[0] "multiline"
],
"path" => "D:\\logstash\\logstash-2.4.0\\bin\\slowlogs.txt",
"host" => "PC326815"
}
←[33mSIGINT received. Shutting down the agent. {:level=>:warn}←[0m
stopping pipeline {:id=>"main"}
{
"@timestamp" => "2017-05-23T11:25:57.421Z",
"message" => "2015-08-24 11:49:14,389 [INFO ][env ]
[Letha] using [1] data paths, mounts [[/\r\n(/dev/disk1)]], net usable_space [3
.5gb], net total_space [118.9gb], types [hfs]\r\n\r\n\r",
"@version" => "1",
"tags" => [
[0] "multiline"
],
"path" => "D:\\logstash\\logstash-2.4.0\\bin\\slowlogs.txt",
"host" => "PC326815"
}
input {
file {
path => "D:\logstash\logstash-2.4.0\bin\slowlogs.txt"
start_position => "beginning"
codec => multiline {
pattern => "^\[%{TIMESTAMP_ISO8601:TIMESTAMP}\]"
negate => true
what => previous
}
}
}
output {
stdout { codec => rubydebug }
}
“^\[%{TIMESTAMP\u ISO8601}\]”来尝试它
谢谢问题在于我在输入中提到的多行模式。它必须是这样的:
{
"@timestamp" => "2017-05-23T11:25:48.075Z",
"message" => "2015-08-24 11:49:14,389 [INFO ][env ]
[Letha] using [1] data paths, mounts [[/\r\n(/dev/disk1)]], net usable_space [3
.5gb], net total_space [118.9gb], types [hfs]\r",
"@version" => "1",
"tags" => [
[0] "multiline"
],
"path" => "D:\\logstash\\logstash-2.4.0\\bin\\slowlogs.txt",
"host" => "PC326815"
}
{
"@timestamp" => "2017-05-23T11:25:48.278Z",
"message" => "2015-08-24 11:49:14,389 [INFO ][env ]
[Letha] using [1] data paths, mounts [[/\r\n(/dev/disk1)]], net usable_space [3
.5gb], net total_space [118.9gb], types [hfs]\r",
"@version" => "1",
"tags" => [
[0] "multiline"
],
"path" => "D:\\logstash\\logstash-2.4.0\\bin\\slowlogs.txt",
"host" => "PC326815"
}
←[33mSIGINT received. Shutting down the agent. {:level=>:warn}←[0m
stopping pipeline {:id=>"main"}
{
"@timestamp" => "2017-05-23T11:25:57.421Z",
"message" => "2015-08-24 11:49:14,389 [INFO ][env ]
[Letha] using [1] data paths, mounts [[/\r\n(/dev/disk1)]], net usable_space [3
.5gb], net total_space [118.9gb], types [hfs]\r\n\r\n\r",
"@version" => "1",
"tags" => [
[0] "multiline"
],
"path" => "D:\\logstash\\logstash-2.4.0\\bin\\slowlogs.txt",
"host" => "PC326815"
}
input {
file {
path => "D:\logstash\logstash-2.4.0\bin\slowlogs.txt"
start_position => "beginning"
codec => multiline {
pattern => "^\[%{TIMESTAMP_ISO8601:TIMESTAMP}\]"
negate => true
what => previous
}
}
}
output {
stdout { codec => rubydebug }
}
问题在于我在输入中提到的多行模式。它必须是这样的:
{
"@timestamp" => "2017-05-23T11:25:48.075Z",
"message" => "2015-08-24 11:49:14,389 [INFO ][env ]
[Letha] using [1] data paths, mounts [[/\r\n(/dev/disk1)]], net usable_space [3
.5gb], net total_space [118.9gb], types [hfs]\r",
"@version" => "1",
"tags" => [
[0] "multiline"
],
"path" => "D:\\logstash\\logstash-2.4.0\\bin\\slowlogs.txt",
"host" => "PC326815"
}
{
"@timestamp" => "2017-05-23T11:25:48.278Z",
"message" => "2015-08-24 11:49:14,389 [INFO ][env ]
[Letha] using [1] data paths, mounts [[/\r\n(/dev/disk1)]], net usable_space [3
.5gb], net total_space [118.9gb], types [hfs]\r",
"@version" => "1",
"tags" => [
[0] "multiline"
],
"path" => "D:\\logstash\\logstash-2.4.0\\bin\\slowlogs.txt",
"host" => "PC326815"
}
←[33mSIGINT received. Shutting down the agent. {:level=>:warn}←[0m
stopping pipeline {:id=>"main"}
{
"@timestamp" => "2017-05-23T11:25:57.421Z",
"message" => "2015-08-24 11:49:14,389 [INFO ][env ]
[Letha] using [1] data paths, mounts [[/\r\n(/dev/disk1)]], net usable_space [3
.5gb], net total_space [118.9gb], types [hfs]\r\n\r\n\r",
"@version" => "1",
"tags" => [
[0] "multiline"
],
"path" => "D:\\logstash\\logstash-2.4.0\\bin\\slowlogs.txt",
"host" => "PC326815"
}
input {
file {
path => "D:\logstash\logstash-2.4.0\bin\slowlogs.txt"
start_position => "beginning"
codec => multiline {
pattern => "^\[%{TIMESTAMP_ISO8601:TIMESTAMP}\]"
negate => true
what => previous
}
}
}
output {
stdout { codec => rubydebug }
}