在外理日志时,除了访问日志外,还要处理运行时日志,该日志大都用程序写的,比如log4j。运行时日志跟访问日志最大的不同是,运行时日志是多行,也就是说,连续的多行才能表达一个意思。

在filter中,加入以下代码:

filter {

  multiline {  }

}

如果能按多行处理,那么把他们拆分到字段就很容易了。

字段属性:

对于multiline插件来说,有三个设置比较重要:negate , pattern 和 what

negate:类型是boolean默认为false

pattern:

必须设置,并且没有默认值,类型为string,要匹配下则表达式

what:

必须设置,并且没有默认值,可以为previous(之前的)或next

下面看看这个例子:

# cat logstash_multiline_shipper.conf

input {

    file {

        path => "/apps/logstash/conf/test/c.out"

        type => "runtimelog"

        codec => multiline {

            pattern => "^\["

            negate => true

            what => "previous"

         }

        start_position => "beginning"

        sincedb_path => "/apps/logstash/logs/sincedb-access"

        ignore_older =>

     }

 }

output {

    stdout{

        codec => rubydebug

     }

 }

说明:区配以"["开头的行,如果不是,那肯定是属于前一行的

测试数据如下:

[-- :: DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.

[-- :: DEBUG] impl.JdbcEntityInserter:- from product_category product_category

where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null

order by product_category.ORDERS asc

[-- :: DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.

[-- :: DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.

[-- :: DEBUG] impl.JdbcEntityInserter:- from product_category product_category

where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null

order by product_category.ORDERS desc

[-- :: DEBUG] impl.JdbcEntityInserter:- from product_category product_category

where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null

order by product_category.ORDERS asc

[-- :: DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.

启动logstash:

# ./../bin/logstash -f logstash_multiline_shipper.conf

Sending Logstash's logs to /apps/logstash/logs which is now configured via log4j2.properties

[--09T15::,][INFO ][logstash.pipeline        ] Starting pipeline {"id"=>"main", "pipeline.workers"=>, "pipeline.batch.size"=>, "pipeline.batch.delay"=>, "pipeline.max_inflight"=>}

[--09T15::,][INFO ][logstash.pipeline        ] Pipeline main started

[--09T15::,][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>}

加入测试数据到被监控的log后,查看输出:

# ./../bin/logstash -f logstash_multiline_shipper.conf

Sending Logstash's logs to /apps/logstash/logs which is now configured via log4j2.properties

[--09T15::,][INFO ][logstash.pipeline        ] Starting pipeline {"id"=>"main", "pipeline.workers"=>, "pipeline.batch.size"=>, "pipeline.batch.delay"=>, "pipeline.max_inflight"=>}

[--09T15::,][INFO ][logstash.pipeline        ] Pipeline main started

[--09T15::,][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>}

{

          "path" => "/apps/logstash/conf/test/c.out",

    "@timestamp" => --09T07::.403Z,

      "@version" => "",

          "host" => "ofs1",

       "message" => "# ./../bin/logstash -f logstash_multiline_shipper.conf \nSending Logstash's logs to /apps/logstash/logs which is now configured via log4j2.properties",

          "type" => "runtimelog",

          "tags" => [

        [] "multiline"

    ]

}

{

          "path" => "/apps/logstash/conf/test/c.out",

    "@timestamp" => --09T07::.409Z,

      "@version" => "",

          "host" => "ofs1",

       "message" => "[2016-12-09T15:16:59,173][INFO ][logstash.pipeline        ] Starting pipeline {\"id\"=>\"main\", \"pipeline.workers\"=>4, \"pipeline.batch.size\"=>125, \"pipeline.batch.delay\"=>5, \"pipeline.max_inflight\"=>500}",

          "type" => "runtimelog",

          "tags" => []

}

{

          "path" => "/apps/logstash/conf/test/c.out",

    "@timestamp" => --09T07::.410Z,

      "@version" => "",

          "host" => "ofs1",

       "message" => "[2016-12-09T15:16:59,192][INFO ][logstash.pipeline        ] Pipeline main started",

          "type" => "runtimelog",

          "tags" => []

}

logstash之multiline插件,匹配多行日志的更多相关文章

  1. Logstash——multiline 插件,匹配多行日志

    本文内容 测试数据 字段属性 按多行解析运行时日志 把多行日志解析到字段 参考资料 在处理日志时,除了访问日志外,还要处理运行时日志,该日志大都用程序写的,比如 log4j.运行时日志跟访问日志最大的 ...

  2. Logstash——multiline 插件,匹配多行日志

    本文内容 测试数据 字段属性 按多行解析运行时日志 把多行日志解析到字段 参考资料 在处理日志时,除了访问日志外,还要处理运行时日志,该日志大都用程序写的,比如 log4j.运行时日志跟访问日志最大的 ...

  3. Logstash-安装logstash-filter-multiline插件(解决logstash匹配多行日志)

    ELK-logstash在搬运日志的时候会出现多行日志,普通的搬运会造成保存到ES中日志一条一条的保存,很丑,而且不方便读取,logstash-filter-multiline可以解决该问题. 接下来 ...

  4. logstash匹配多行日志

    在工作中,遇到一个问题就是日志的处理,首选的方案就是ELFK(filebeat+logstash+es+kibana) 因为之前使用过logstash采集日志的时候,非常的消耗系统的资源,所以这里我选 ...

  5. Logstash之multiline 插件

    input { stdin { codec => multiline { pattern => "^\[" negate => true what => & ...

  6. logstash 中multiline插件的用法

    input { stdin { codec =>multiline { charset=>... #可选 字符编码 max_bytes=>... #可选 bytes类型 设置最大的字 ...

  7. Python正则处理多行日志一例

    正则表达式基础知识请参阅<正则表达式基础知识>,本文使用正则表达式来匹配多行日志并从中解析出相应的信息. 假设现在有这样的SQL日志: SELECT * FROM open_app WHE ...

  8. Python正则处理多行日志一例(可配置化)

    正则表达式基础知识请参阅<正则表达式基础知识>,本文使用正则表达式来匹配多行日志并从中解析出相应的信息. 假设现在有这样的SQL日志: SELECT * FROM open_app WHE ...

  9. 写给大忙人的ELK最新版6.2.4学习笔记-Logstash和Filebeat解析(java异常堆栈下多行日志配置支持)

    接前一篇CentOS 7下最新版(6.2.4)ELK+Filebeat+Log4j日志集成环境搭建完整指南,继续对ELK. logstash官方最新文档https://www.elastic.co/g ...

随机推荐

  1. imageable.touch

    使用 callback 确保创建,更新和删除 Picture 时,touch 关联的 imageable,使得其缓存能正确过期 这个update的方法用来把update时间强制更新成当前时间 http ...

  2. 51Nod 1766 树上的最远点对

    Description 一棵树,询问两个端点编号分别在在 \([a,b]\) 和 \([c,d]\) 两个区间中的最长链. Sol 线段树+ST表. 树上最长链可以合并,只需要合并两个区间最长链的两个 ...

  3. BZOJ 4544: 椭圆上的整点

    Sol 数学. 跟圆上的整点一样...TA写了个积性函数的算法...以后再说吧... \(x^2+3y^2=r^2\) \(3y^2=r^2-x^2\) \(3y^2=(r-x)(r+x)\) \(y ...

  4. iframe自适应宽度

    <iframe id="course_content" style="width:100%;margin:5px 0 0;" scrolling=&quo ...

  5. 交叉编译inetutils并配置telnet服务

    inetutils集成了许多网络客户和服务程序,主要有,finger, ftp, ftpd, rcp, rexec, rlogin, rlogind, rsh, rshd, syslog,syslog ...

  6. KendoUI之kendoGrid服务端分页

    parameterMap:设定传递给服务器的当前页数与每页大小,django下用get方法有效,post方法无法取得这2个参数shema.total:设定总行数serverPaging: true / ...

  7. spring的对象属性相同(类型,名字)拷贝

    A类: package test; /** * Created by gmq on 2015/12/4. */ public class A { private String aa; private ...

  8. 欧洲杯 2016 高清直播 - 观看工具 UEFA-EURO-2016-Play.7z

    OnlineTV-MPlayer-nocache.exe 占 CPU 内存 较少 OnlineTV-FFPlay.exe 可截取图像 UEFA-EURO-2016-Play-v5.7z UEFA-EU ...

  9. problem-record-mysql

    #!/bin/bash # # Update_Problem - updates problem record in database ################################ ...

  10. Mathematics:Prime Path(POJ 3126)

    素数通道 题目大意:给定两个素数a,b,要你找到一种变换,使得每次变换都是素数,如果能从a变换到b,则输出最小步数,否则输出Impossible 水题,因为要求最小步数,所以我们只需要找到到每个素数的 ...