使用logstash如何组合以时间戳开头的行
下面是我需要使用logstash解析的示例日志文件:使用logstash如何组合以时间戳开头的行,logstash,multiline,logstash-grok,Logstash,Multiline,Logstash Grok,下面是我需要使用logstash解析的示例日志文件: 2016-12-27 07:54:38.621 8407 ERROR oslo_service.service Traceback (most recent call last): 2016-12-27 07:54:38.621 8407 ERROR oslo_service.service File "/usr/lib/python2.7/dist-packages/oslo_service/service.py", line 680,
2016-12-27 07:54:38.621 8407 ERROR oslo_service.service Traceback (most recent call last):
2016-12-27 07:54:38.621 8407 ERROR oslo_service.service File "/usr/lib/python2.7/dist-packages/oslo_service/service.py", line 680, in run_service
2016-12-27 07:54:38.621 8407 ERROR oslo_service.service service.start()
2016-12-27 07:54:38.621 8407 ERROR oslo_service.service File "/usr/lib/python2.7/dist-packages/nova/service.py", line 428, in start
2016-12-27 07:54:38.621 8407 ERROR oslo_service.service self.binary)
2016-12-27 07:54:38.621 8407 ERROR oslo_service.service File "/usr/lib/python2.7/dist-packages/oslo_versionedobjects/base.py", line 181, in wrapper
提前谢谢你 如果您使用
grokmultilineinput {
file {
path => [""] <-- path to your log directory
start_position => "beginning"
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => true
what => previous
}
}
}
filter {
grok {
patterns_dir => "./patterns" <-- the path to the patterns file
match=>["message","%{TIMESTAMP_ISO8601:timestamp} %{WORD:level} %{GREEDYDATA:content}"]
}
}
输入{
文件{
路径=>[“”]开始
编解码器=>多行{
模式=>“^%{TIMESTAMP_ISO8601}”
否定=>true
什么=>以前的
}
}
}
滤器{
格罗克{
patterns_dir=>“/patterns”[“message”,“%{TIMESTAMP_ISO8601:TIMESTAMP}%{WORD:level}%{greedydydata:content}”]
}
}
Multiline这可能也有帮助。希望有帮助 有两种方法可以实现
- 日志存储输入中的多行
input {
beats {
port => 5044
codec => multiline {
pattern => "^[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}[\.,][0-9]{3,7} "
negate => true
what => "previous"
}
congestion_threshold => 40
}
}
- 对数滤波器中的多重线性
filter {
if [@metadata][beat] =~ "xxxx" {
multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => true
what => "previous"
}
}
}