Logging 如何基于时间戳解析多行麋鹿_Logging_Elastic Stack_Filebeat

Logging 如何基于时间戳解析多行麋鹿

logging

Logging 如何基于时间戳解析多行麋鹿,logging,elastic-stack,filebeat,Logging,Elastic Stack,Filebeat,我的日志是 2017-07-04 10:19:52,896 - [INFO] - from application in ForkJoinPool-3-worker-1 Resolving database... 2017-07-04 10:19:52,897 - [INFO] - from application in ForkJoinPool-3-worker-1 Resolving database... 2017-07-04 10:19:52,897 - [DEBUG] - fr

我的日志是

2017-07-04 10:19:52,896 - [INFO] - from application in ForkJoinPool-3-worker-1

Resolving database...

2017-07-04 10:19:52,897 - [INFO] - from application in ForkJoinPool-3-worker-1

Resolving database...

2017-07-04 10:19:52,897 - [DEBUG] - from application in ForkJoinPool-3-worker-1

Json Body : {"took":2,"timed_out":false,"_shards":{"total":5,"successful":5,"failed":0},"hits":{"total":0,"max_score":null,"hits":[]},"aggregations":{"fp":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[]}}}

2017-07-04 10:19:52,898 - [DEBUG] - from application in application-akka.actor.default-dispatcher-53

Successfully updated the transaction.

2017-07-04 10:19:52,899 - [INFO] - from application in ForkJoinPool-3-worker-1

Resolving database...

2017-07-04 10:19:52,901 - [DEBUG] - from application in application-akka.actor.default-dispatcher-54

Successfully updated the transaction.

我想将两个时间戳之间的所有日志分组在一起，并与它们匹配格里迪数据。

我将filebeat与麋鹿一起使用

我通过以下配置解决了它

在以数字开头的行之后匹配所有行，并将它们合并在一起

logstash filter : 
filter {
  if [type] == "asp" {
    grok {
      patterns_dir => "/etc/logstash/conf.d/patterns"
      match => { "message" => "%{JAVASTACKTRACEPART}" }
    }
  }
}

狼吞虎咽地吃下所有的木头

logstash filter : 
filter {
  if [type] == "asp" {
    grok {
      patterns_dir => "/etc/logstash/conf.d/patterns"
      match => { "message" => "%{JAVASTACKTRACEPART}" }
    }
  }
}