本文内容

  • 测试数据
  • 字段属性
  • 按多行解析运行时日志
  • 把多行日志解析到字段
  • 参考资料

在处理日志时,除了访问日志外,还要处理运行时日志,该日志大都用程序写的,比如 log4j。运行时日志跟访问日志最大的不同是,运行时日志是多行,也就是说,连续的多行才能表达一个意思。

本文主要说明,如何用 multiline 出来运行日志。

如果能按多行处理,那么把他们拆分到字段就很容易了。

迁移到:http://www.bdata-cap.com/newsinfo/1712113.html

测试数据

[16-04-12 03:40:01 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.

[16-04-12 03:40:02 DEBUG] impl.JdbcEntityInserter:- from product_category product_category

where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null

order by product_category.ORDERS asc

[16-04-12 03:40:03 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.

[16-04-12 03:40:04 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.

[16-04-12 03:40:05 DEBUG] impl.JdbcEntityInserter:- from product_category product_category

where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null

order by product_category.ORDERS desc

[16-04-12 03:40:06 DEBUG] impl.JdbcEntityInserter:- from product_category product_category

where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null

order by product_category.ORDERS asc

[16-04-12 03:40:07 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.

测试是在7秒内发生的(当然是假数据)。可以看到,第二、五、六秒的日志是多行的,有条SQL语句。其他是单行的。

字段属性

对 multiline 插件来说,有三个设置比较重要:negate、pattern 和 what。

negate

  • 类型是 boolean

  • 默认为 false

否定正则表达式(如果没有匹配的话)。

pattern

  • 必须设置

  • 类型为 string

  • 没有默认值

要匹配的正则表达式。

what

  • 必须设置

  • 可以为 previous 或 next

  • 没有默认值

如果正则表达式匹配了,那么该事件是属于下一个或是前一个事件?

按多行解析运行时日志

示例1:若配置文件如下所示,

input {

        file{

                path=>"/usr/local/elk/logstash/logs/c.out"

                type=>"runtimelog"

                codec=> multiline {

                        pattern => "^\["

                        negate => true

                        what => "previous"

                }

                start_position=>"beginning"

                sincedb_path=>"/usr/local/elk/logstash/sincedb-access"

                ignore_older=>0

        }

}

output{

        stdout{

                codec=>rubydebug

        }

}

说明:匹配以“[”开头的行,如果不是,那肯定是属于前一行的。

解析结果如下所示,能解析出6个JSON:

{

    "@timestamp" => "2016-06-01T04:37:43.147Z",

       "message" => "[16-04-12 03:40:01 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:37:43.152Z",

       "message" => "[16-04-12 03:40:02 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:37:43.152Z",

       "message" => "[16-04-12 03:40:03 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:37:43.155Z",

       "message" => "[16-04-12 03:40:04 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:37:43.157Z",

       "message" => "[16-04-12 03:40:05 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS desc",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:37:43.159Z",

       "message" => "[16-04-12 03:40:06 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

解析时,最后一行日志,不会解析。只有当再追加一条日志时,才会解析最后一条日志。

示例2:若将配置文件修改为,

input {

        file{

                path=>"/usr/local/elk/logstash/logs/c.out"

                type=>"runtimelog"

                codec=>multiline  {

                        pattern => "^\["

                        negate => true

                        what => "next"

                }

                start_position=>"beginning"

                sincedb_path=>"/usr/local/elk/logstash/sincedb-access"

                ignore_older=>0

        }

}

output{

        stdout{

                codec=>rubydebug

        }

}

解析结果为,能解析出7个JSON:

{

    "@timestamp" => "2016-06-01T04:40:43.232Z",

       "message" => "[16-04-12 03:40:01 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:40:43.237Z",

       "message" => "[16-04-12 03:40:02 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:40:43.238Z",

       "message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc\n[16-04-12 03:40:03 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:40:43.239Z",

       "message" => "[16-04-12 03:40:04 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:40:43.244Z",

       "message" => "[16-04-12 03:40:05 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:40:43.245Z",

       "message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS desc\n[16-04-12 03:40:06 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:40:43.249Z",

       "message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc\n[16-04-12 03:40:07 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

示例3:若将配置文件修改为,

codec=>multiline  {

        pattern => "^\["

        negate => false

        what => "previous"

}

则解析结果为:

{

    "@timestamp" => "2016-06-01T05:38:50.853Z",

       "message" => "[16-04-12 03:40:01 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.\n[16-04-12 03:40:02 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T05:38:50.856Z",

       "message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T05:38:50.858Z",

       "message" => "order by product_category.ORDERS asc\n[16-04-12 03:40:03 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.\n[16-04-12 03:40:04 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.\n[16-04-12 03:40:05 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T05:38:50.860Z",

       "message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T05:38:50.861Z",

       "message" => "order by product_category.ORDERS desc\n[16-04-12 03:40:06 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T05:38:50.863Z",

       "message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

把多行日志解析到字段

配置文件如下所示:

input {

        file{

                path=>"/usr/local/elk/logstash/logs/c.out"

                type=>"runtimelog"

                codec=>multiline  {

                        pattern => "^\["

                        negate => true

                        what => "previous"

                }

                start_position=>"beginning"

                sincedb_path=>"/usr/local/elk/logstash/sincedb-access"

                ignore_older=>0

        }

}

filter {

        grok {

                match=>["message","\[%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level}\] %{GREEDYDATA:msg}"]

        }

}

output{

        stdout{

                codec=>rubydebug

        }

}

解析后结果:

{

    "@timestamp" => "2016-06-01T06:33:26.426Z",

       "message" => "[16-04-12 03:40:01 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog",

     "timestamp" => "16-04-12 03:40:01",

         "level" => "DEBUG",

           "msg" => "model.MappingNode:- ['/store/shopclass'] matched over."

}

{

    "@timestamp" => "2016-06-01T06:33:26.485Z",

       "message" => "[16-04-12 03:40:02 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog",

     "timestamp" => "16-04-12 03:40:02",

         "level" => "DEBUG",

           "msg" => "impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc"

}

{

    "@timestamp" => "2016-06-01T06:33:26.491Z",

       "message" => "[16-04-12 03:40:03 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog",

     "timestamp" => "16-04-12 03:40:03",

         "level" => "DEBUG",

           "msg" => "model.MappingNode:- ['/store/shopclass'] matched over."

}

{

    "@timestamp" => "2016-06-01T06:33:26.492Z",

       "message" => "[16-04-12 03:40:04 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog",

     "timestamp" => "16-04-12 03:40:04",

         "level" => "DEBUG",

           "msg" => "model.MappingNode:- ['/store/shopclass'] matched over."

}

{

    "@timestamp" => "2016-06-01T06:33:26.494Z",

       "message" => "[16-04-12 03:40:05 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS desc",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog",

     "timestamp" => "16-04-12 03:40:05",

         "level" => "DEBUG",

           "msg" => "impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS desc"

}

{

    "@timestamp" => "2016-06-01T06:33:26.495Z",

       "message" => "[16-04-12 03:40:06 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog",

     "timestamp" => "16-04-12 03:40:06",

         "level" => "DEBUG",

           "msg" => "impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc"

}

参考资料

Logstash——multiline 插件,匹配多行日志的更多相关文章

  1. logstash之multiline插件,匹配多行日志

    在外理日志时,除了访问日志外,还要处理运行时日志,该日志大都用程序写的,比如log4j.运行时日志跟访问日志最大的不同是,运行时日志是多行,也就是说,连续的多行才能表达一个意思. 在filter中,加 ...

  2. Logstash——multiline 插件,匹配多行日志

    本文内容 测试数据 字段属性 按多行解析运行时日志 把多行日志解析到字段 参考资料 在处理日志时,除了访问日志外,还要处理运行时日志,该日志大都用程序写的,比如 log4j.运行时日志跟访问日志最大的 ...

  3. Logstash-安装logstash-filter-multiline插件(解决logstash匹配多行日志)

    ELK-logstash在搬运日志的时候会出现多行日志,普通的搬运会造成保存到ES中日志一条一条的保存,很丑,而且不方便读取,logstash-filter-multiline可以解决该问题. 接下来 ...

  4. logstash匹配多行日志

    在工作中,遇到一个问题就是日志的处理,首选的方案就是ELFK(filebeat+logstash+es+kibana) 因为之前使用过logstash采集日志的时候,非常的消耗系统的资源,所以这里我选 ...

  5. Python正则处理多行日志一例

    正则表达式基础知识请参阅<正则表达式基础知识>,本文使用正则表达式来匹配多行日志并从中解析出相应的信息. 假设现在有这样的SQL日志: SELECT * FROM open_app WHE ...

  6. Python正则处理多行日志一例(可配置化)

    正则表达式基础知识请参阅<正则表达式基础知识>,本文使用正则表达式来匹配多行日志并从中解析出相应的信息. 假设现在有这样的SQL日志: SELECT * FROM open_app WHE ...

  7. 写给大忙人的ELK最新版6.2.4学习笔记-Logstash和Filebeat解析(java异常堆栈下多行日志配置支持)

    接前一篇CentOS 7下最新版(6.2.4)ELK+Filebeat+Log4j日志集成环境搭建完整指南,继续对ELK. logstash官方最新文档https://www.elastic.co/g ...

  8. ELK学习笔记之Logstash和Filebeat解析对java异常堆栈下多行日志配置支持

    0x00 概述 logstash官方最新文档.假设有几十台服务器,每台服务器要监控系统日志syslog.tomcat日志.nginx日志.mysql日志等等,监控OOM.内存低下进程被kill.ngi ...

  9. logstash 安装插件multiline

    一.安装multiline 在使用elk 传输记录 java 日志时,如下 一个java的报错 在elk中会按每一行 产生多条记录,不方便查阅 这里修改配置文件 使用  multiline   插件 ...

随机推荐

  1. 解决Android中多次点击启动多个相同界面的问题

    在Android开发过程中我们经常会碰到这样的问题,当用户点击一个View启动一个新的Activity的时候,如果快速地多次点击就会启动多个相同的界面.虽然说很少会有用户这么玩自己的手机,但是一旦出现 ...

  2. POI 读取word (word 2003 和 word 2007) (转)

    最近在给客户做系统的时候,用户提出需求,要能够导入 word 文件,现在 microsoft word 有好几个版本 97.2003.2007的,这三个版本存储数据的格式上都有相当大的差别,而现在 9 ...

  3. Java实验二20135104

    课程:Java程序设计          班级: 1351 姓名:刘帅                学号:20135104 成绩:             指导教师:娄嘉鹏       实验日期:2 ...

  4. IIS Connection Timeout vs httpRuntime executionTimeout

    IIS Connection Timeout specifies how long, in seconds, should the code wait before timing out from t ...

  5. @Autowired @Resource用法

    @Autowired的用法和作用 这个注解就是spring可以自动帮你把bean里面引用的对象的setter/getter方法省略,它会自动帮你set/get. <bean id="u ...

  6. JS检测浏览器是否支持HTML5视频播放 (标签<video>) ,

    function checkVideo() { if (!!document.createElement('video').canPlayType) { var vidTest = document. ...

  7. 老调重弹:JDBC系列之<驱动加载原理全面解析) ----转

      最近在研究Mybatis框架,由于该框架基于JDBC,想要很好地理解和学习Mybatis,必须要对JDBC有较深入的了解.所以便把JDBC 这个东东翻出来,好好总结一番,作为自己的笔记,也是给读者 ...

  8. URAL 1915 Titan Ruins: Reconstruction of Bygones(思路)

    搞这个题差不多是从比赛开始到结束. 从自信慢慢的看题一直到wrong到死. 这个题目可以说成是思路题,以为我们只要明白一点,这道题就成了纯暴力的水题, 那就是当操作数不足栈中数字数目的时候,我们就没有 ...

  9. ASP.NET MVC学习之过滤器篇(2)

    下面我们继续之前的ASP.NET MVC学习之过滤器篇(1)进行学习. 3.动作过滤器 顾名思义,这个过滤器就是在动作方法调用前与调用后响应的.我们可以在调用前更改实际调用的动作,也可以在动作调用完成 ...

  10. 设计模式之美:Composite(组合)

    索引 意图 结构 参与者 适用性 缺点 效果 相关模式 实现 实现方式(一):在 Component 中定义公共接口以保持透明性但损失安全性. 意图 将对象组合成树形结构以表示 “部分-整体” 的层次 ...