Fatal编程技术网
  • logstash/
  • logstash grok multiline-如何合并到上一行中任何不';不要从时间戳开始

logstash grok multiline-如何合并到上一行中任何不';不要从时间戳开始

logstash

logstash grok multiline-如何合并到上一行中任何不';不要从时间戳开始,logstash,multiline,grok,Logstash,Multiline,Grok,有时我打印到日志缩进漂亮的JSON,它打印在多行中。所以我需要能够告诉logstash将这些打印附加到原始事件的原始行 例如: xxx p:INFO d:2015-07-21 11:11:58,906 sourceThread:3iMind-Atlas-akka.actor.default-dispatcher-2 queryUserId: queryId: hrvJobId:6c1a4d60-e5e6-40d8-80aa-a4dc00e9f0c4 etlStreamId:70 etlOmdId

有时我打印到日志缩进漂亮的JSON,它打印在多行中。所以我需要能够告诉logstash将这些打印附加到原始事件的原始行

例如:

xxx p:INFO d:2015-07-21 11:11:58,906 sourceThread:3iMind-Atlas-akka.actor.default-dispatcher-2 queryUserId: queryId: hrvJobId:6c1a4d60-e5e6-40d8-80aa-a4dc00e9f0c4 etlStreamId:70 etlOmdId: etlDocId: logger:tim.atlas.module.etl.mq.MQConnectorEtl msg:(st:Consuming) received NotifyMQ. sending to [openmind_exchange/job_ack] message:
{
  "JobId" : "6c1a4d60-e5e6-40d8-80aa-a4dc00e9f0c4",
  "Time" : "2015-07-21T11:11:58.904Z",
  "Errors" : [ ],
  "FeedItemSchemaCounts" : {
    "Document" : 1,
    "DocumentMetadata" : 1
  },
  "OtherSchemaCounts" : { }
}
因为我已经设置了一个特殊的log4j appender,它只作为logstash输入,所以这个任务应该很简单。我控制日志的布局,因此我可以添加任意多的前缀/后缀指示符

以下是我的appender的外观:

log4j.appender.logstash-input.layout.ConversionPattern=xxx p:%p d:%d{yyyy-MM-dd HH:mm:ss,SSS}{UTC} sourceThread:%X{sourceThread} queryUserId:%X{userId} queryId:%X{queryId} hrvJobId:%X{hrvJobId} etlStreamId:%X{etlStreamId} etlOmdId:%X{etlOmdId} etlDocId:%X{etlDocId} logger:%c msg:%m%n
如您所见,我在每条消息前都加上了“xxx”前缀,这样我就可以告诉logstash在前一行中附加任何不以“xxx”开头的行

以下是我的日志存储配置:

if [type] == "om-svc-atlas" {
    grok {
        match => [ "message" , "(?m)p:%{LOGLEVEL:loglevel} d:%{TIMESTAMP_ISO8601:logdate} sourceThread:%{GREEDYDATA:sourceThread} queryUserId:%{GREEDYDATA:userId} queryId:%{GREEDYDATA:queryId} hrvJobId:%{GREEDYDATA:hrvJobId} etlStreamId:%{GREEDYDATA:etlStreamId} etlOmdId:%{GREEDYDATA:etlOmdId} etlDocId:%{GREEDYDATA:etlDocId} logger:%{GREEDYDATA:logger} msg:%{GREEDYDATA:msg}" ]
        add_tag => "om-svc-atlas"
    }
    date {
        match => [ "logdate" , "YYYY-MM-dd HH:mm:ss,SSS" ]
        timezone => "UTC"
    }
    multiline {
        pattern => "<please tell me what to put here to tell logstash to append any line which doesnt start with xxx to the previous line>"
        what => "previous"
    }
  }

if[type]=“om svc atlas”{
格罗克{
match=>[“message”,“(?m)p:%%{LOGLEVEL:LOGLEVEL}d:%%{TIMESTAMP_ISO8601:logdate}sourceThread:%%{greedyddata:sourceThread}queryUserId:%%{greedyddata:userId}queryId:%%{greedyddata:queryId}hrvJobId:%%{greeddata:hrvJobId}etlStreamId:%%{greedyddata:etstreamid}etlOmdId:{greedydyddata:etlOmdId:{greedydodododid:logger:}msg:%%{GREEDYDATA:msg}“]
添加标签=>“om svc atlas”
}
日期{
匹配=>[“日志日期”,“YYYY-MM-dd HH:MM:ss,SSS”]
时区=>“UTC”
}
多行{
模式=>“”
什么=>“以前的”
}
}
是的,确实很简单:

if [type] == "om-svc-atlas" {
    grok {
        match => [ "message" , "(?m)p:%{LOGLEVEL:loglevel} d:%{TIMESTAMP_ISO8601:logdate} sourceThread:%{GREEDYDATA:sourceThread} queryUserId:%{GREEDYDATA:userId} queryId:%{GREEDYDATA:queryId} hrvJobId:%{GREEDYDATA:hrvJobId} etlStreamId:%{GREEDYDATA:etlStreamId} etlOmdId:%{GREEDYDATA:etlOmdId} etlDocId:%{GREEDYDATA:etlDocId} logger:%{GREEDYDATA:logger} msg:%{GREEDYDATA:msg}" ]
        add_tag => "om-svc-atlas"
    }
    date {
        match => [ "logdate" , "YYYY-MM-dd HH:mm:ss,SSS" ]
        timezone => "UTC"
    }
    multiline {
        pattern => "^(?!xxx).+"
        what => "previous"
    }
  }