logstash配置codec插件-多行模式

By Joyous | 2017年6月13日 - 下午 3:14 |2017年6月13日 ELK

用途
应用日志多行打印
配置logstash
input {
    file {
        path => ["/data/test/test/test.log"]
        type => "demo-codec-multiline-log"
        start_position => "beginning"
        codec => multiline {
            pattern => "^["
            negate => true
            what => "previous"
        }
    }
}
output {
    stdout{
        codec=>rubydebug
    }
}
备注：
what 只能是previous或者next，previous指定行匹配pattern选项的内容是上一行的一部分，next指定行匹配pattern选项的内容是下一行的一部分
启动
bin/logstash -f /etc/logstash/conf.d/demo-codec-multiline.conf
结果
{
          "path" => "/data/test/test/test.log",
    "@timestamp" => 2017-06-13T07:09:16.452Z,
      "@version" => "1",
          "host" => "192-168-56-201",
       "message" => "[info] test 4\ntest 5\ntest 6",
          "type" => "demo-codec-multiline-log",
          "tags" => [
        [0] "multiline"
    ]
}
{
          "path" => "/data/test/test/test.log",
    "@timestamp" => 2017-06-13T07:09:40.516Z,
      "@version" => "1",
          "host" => "192-168-56-201",
       "message" => "[error]test 6\ntest 7",
          "type" => "demo-codec-multiline-log",
          "tags" => [
        [0] "multiline"
    ]
}

Tagged codec, elk, logstash, multiline. Bookmark the permalink.

Comments are closed.