本文内容

  • 测试数据
  • 字段属性
  • 按多行解析运行时日志
  • 把多行日志解析到字段
  • 参考资料

在处理日志时,除了访问日志外,还要处理运行时日志,该日志大都用程序写的,比如 log4j。运行时日志跟访问日志最大的不同是,运行时日志是多行,也就是说,连续的多行才能表达一个意思。

本文主要说明,如何用 multiline 出来运行日志。

如果能按多行处理,那么把他们拆分到字段就很容易了。

迁移到:http://www.bdata-cap.com/newsinfo/1712113.html

测试数据

[16-04-12 03:40:01 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.

[16-04-12 03:40:02 DEBUG] impl.JdbcEntityInserter:- from product_category product_category

where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null

order by product_category.ORDERS asc

[16-04-12 03:40:03 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.

[16-04-12 03:40:04 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.

[16-04-12 03:40:05 DEBUG] impl.JdbcEntityInserter:- from product_category product_category

where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null

order by product_category.ORDERS desc

[16-04-12 03:40:06 DEBUG] impl.JdbcEntityInserter:- from product_category product_category

where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null

order by product_category.ORDERS asc

[16-04-12 03:40:07 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.

测试是在7秒内发生的(当然是假数据)。可以看到,第二、五、六秒的日志是多行的,有条SQL语句。其他是单行的。

字段属性

对 multiline 插件来说,有三个设置比较重要:negate、pattern 和 what。

negate

  • 类型是 boolean

  • 默认为 false

否定正则表达式(如果没有匹配的话)。

pattern

  • 必须设置

  • 类型为 string

  • 没有默认值

要匹配的正则表达式。

what

  • 必须设置

  • 可以为 previous 或 next

  • 没有默认值

如果正则表达式匹配了,那么该事件是属于下一个或是前一个事件?

按多行解析运行时日志

示例1:若配置文件如下所示,

input {

        file{

                path=>"/usr/local/elk/logstash/logs/c.out"

                type=>"runtimelog"

                codec=> multiline {

                        pattern => "^\["

                        negate => true

                        what => "previous"

                }

                start_position=>"beginning"

                sincedb_path=>"/usr/local/elk/logstash/sincedb-access"

                ignore_older=>0

        }

}

output{

        stdout{

                codec=>rubydebug

        }

}

说明:匹配以“[”开头的行,如果不是,那肯定是属于前一行的。

解析结果如下所示,能解析出6个JSON:

{

    "@timestamp" => "2016-06-01T04:37:43.147Z",

       "message" => "[16-04-12 03:40:01 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:37:43.152Z",

       "message" => "[16-04-12 03:40:02 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:37:43.152Z",

       "message" => "[16-04-12 03:40:03 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:37:43.155Z",

       "message" => "[16-04-12 03:40:04 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:37:43.157Z",

       "message" => "[16-04-12 03:40:05 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS desc",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:37:43.159Z",

       "message" => "[16-04-12 03:40:06 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

解析时,最后一行日志,不会解析。只有当再追加一条日志时,才会解析最后一条日志。

示例2:若将配置文件修改为,

input {

        file{

                path=>"/usr/local/elk/logstash/logs/c.out"

                type=>"runtimelog"

                codec=>multiline  {

                        pattern => "^\["

                        negate => true

                        what => "next"

                }

                start_position=>"beginning"

                sincedb_path=>"/usr/local/elk/logstash/sincedb-access"

                ignore_older=>0

        }

}

output{

        stdout{

                codec=>rubydebug

        }

}

解析结果为,能解析出7个JSON:

{

    "@timestamp" => "2016-06-01T04:40:43.232Z",

       "message" => "[16-04-12 03:40:01 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:40:43.237Z",

       "message" => "[16-04-12 03:40:02 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:40:43.238Z",

       "message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc\n[16-04-12 03:40:03 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:40:43.239Z",

       "message" => "[16-04-12 03:40:04 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:40:43.244Z",

       "message" => "[16-04-12 03:40:05 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:40:43.245Z",

       "message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS desc\n[16-04-12 03:40:06 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T04:40:43.249Z",

       "message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc\n[16-04-12 03:40:07 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

示例3:若将配置文件修改为,

codec=>multiline  {

        pattern => "^\["

        negate => false

        what => "previous"

}

则解析结果为:

{

    "@timestamp" => "2016-06-01T05:38:50.853Z",

       "message" => "[16-04-12 03:40:01 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.\n[16-04-12 03:40:02 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T05:38:50.856Z",

       "message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T05:38:50.858Z",

       "message" => "order by product_category.ORDERS asc\n[16-04-12 03:40:03 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.\n[16-04-12 03:40:04 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.\n[16-04-12 03:40:05 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T05:38:50.860Z",

       "message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T05:38:50.861Z",

       "message" => "order by product_category.ORDERS desc\n[16-04-12 03:40:06 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

{

    "@timestamp" => "2016-06-01T05:38:50.863Z",

       "message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog"

}

把多行日志解析到字段

配置文件如下所示:

input {

        file{

                path=>"/usr/local/elk/logstash/logs/c.out"

                type=>"runtimelog"

                codec=>multiline  {

                        pattern => "^\["

                        negate => true

                        what => "previous"

                }

                start_position=>"beginning"

                sincedb_path=>"/usr/local/elk/logstash/sincedb-access"

                ignore_older=>0

        }

}

filter {

        grok {

                match=>["message","\[%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level}\] %{GREEDYDATA:msg}"]

        }

}

output{

        stdout{

                codec=>rubydebug

        }

}

解析后结果:

{

    "@timestamp" => "2016-06-01T06:33:26.426Z",

       "message" => "[16-04-12 03:40:01 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog",

     "timestamp" => "16-04-12 03:40:01",

         "level" => "DEBUG",

           "msg" => "model.MappingNode:- ['/store/shopclass'] matched over."

}

{

    "@timestamp" => "2016-06-01T06:33:26.485Z",

       "message" => "[16-04-12 03:40:02 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog",

     "timestamp" => "16-04-12 03:40:02",

         "level" => "DEBUG",

           "msg" => "impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc"

}

{

    "@timestamp" => "2016-06-01T06:33:26.491Z",

       "message" => "[16-04-12 03:40:03 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog",

     "timestamp" => "16-04-12 03:40:03",

         "level" => "DEBUG",

           "msg" => "model.MappingNode:- ['/store/shopclass'] matched over."

}

{

    "@timestamp" => "2016-06-01T06:33:26.492Z",

       "message" => "[16-04-12 03:40:04 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

      "@version" => "1",

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog",

     "timestamp" => "16-04-12 03:40:04",

         "level" => "DEBUG",

           "msg" => "model.MappingNode:- ['/store/shopclass'] matched over."

}

{

    "@timestamp" => "2016-06-01T06:33:26.494Z",

       "message" => "[16-04-12 03:40:05 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS desc",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog",

     "timestamp" => "16-04-12 03:40:05",

         "level" => "DEBUG",

           "msg" => "impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS desc"

}

{

    "@timestamp" => "2016-06-01T06:33:26.495Z",

       "message" => "[16-04-12 03:40:06 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc",

      "@version" => "1",

          "tags" => [

        [0] "multiline"

    ],

          "path" => "/usr/local/elk/logstash/logs/c.out",

          "host" => "vcyber",

          "type" => "runtimelog",

     "timestamp" => "16-04-12 03:40:06",

         "level" => "DEBUG",

           "msg" => "impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc"

}

参考资料

Logstash——multiline 插件,匹配多行日志的更多相关文章

  1. logstash之multiline插件,匹配多行日志

    在外理日志时,除了访问日志外,还要处理运行时日志,该日志大都用程序写的,比如log4j.运行时日志跟访问日志最大的不同是,运行时日志是多行,也就是说,连续的多行才能表达一个意思. 在filter中,加 ...

  2. Logstash——multiline 插件,匹配多行日志

    本文内容 测试数据 字段属性 按多行解析运行时日志 把多行日志解析到字段 参考资料 在处理日志时,除了访问日志外,还要处理运行时日志,该日志大都用程序写的,比如 log4j.运行时日志跟访问日志最大的 ...

  3. Logstash-安装logstash-filter-multiline插件(解决logstash匹配多行日志)

    ELK-logstash在搬运日志的时候会出现多行日志,普通的搬运会造成保存到ES中日志一条一条的保存,很丑,而且不方便读取,logstash-filter-multiline可以解决该问题. 接下来 ...

  4. logstash匹配多行日志

    在工作中,遇到一个问题就是日志的处理,首选的方案就是ELFK(filebeat+logstash+es+kibana) 因为之前使用过logstash采集日志的时候,非常的消耗系统的资源,所以这里我选 ...

  5. Python正则处理多行日志一例

    正则表达式基础知识请参阅<正则表达式基础知识>,本文使用正则表达式来匹配多行日志并从中解析出相应的信息. 假设现在有这样的SQL日志: SELECT * FROM open_app WHE ...

  6. Python正则处理多行日志一例(可配置化)

    正则表达式基础知识请参阅<正则表达式基础知识>,本文使用正则表达式来匹配多行日志并从中解析出相应的信息. 假设现在有这样的SQL日志: SELECT * FROM open_app WHE ...

  7. 写给大忙人的ELK最新版6.2.4学习笔记-Logstash和Filebeat解析(java异常堆栈下多行日志配置支持)

    接前一篇CentOS 7下最新版(6.2.4)ELK+Filebeat+Log4j日志集成环境搭建完整指南,继续对ELK. logstash官方最新文档https://www.elastic.co/g ...

  8. ELK学习笔记之Logstash和Filebeat解析对java异常堆栈下多行日志配置支持

    0x00 概述 logstash官方最新文档.假设有几十台服务器,每台服务器要监控系统日志syslog.tomcat日志.nginx日志.mysql日志等等,监控OOM.内存低下进程被kill.ngi ...

  9. logstash 安装插件multiline

    一.安装multiline 在使用elk 传输记录 java 日志时,如下 一个java的报错 在elk中会按每一行 产生多条记录,不方便查阅 这里修改配置文件 使用  multiline   插件 ...

随机推荐

  1. lvs DR模式

    1.单机 director端ifconfig eth0:1 $vip broadcast $vip netmask 255.255.255.255 up ----broadcast广播(单机的时候加这 ...

  2. WPF之 DataGrid分页

    接着上一篇WPF之 DataGrid数据绑定,继续讲述WPF中DataGrid分页. 由于分页经常用到,就做了一个自定义控件,由于当时的局限性,只支持DataTable数据源,不过木关系,网上很多其他 ...

  3. Webpack使用教程六(Plugins)

    webpack可以通过插件进行功能扩展.webpack拥有很多的内置插件和第三方插件.下面以webpack自带的插件bannerPlugin为例,说明插件的简单用法.bannerPlugin可以将任何 ...

  4. 如何使不同主机上的docker容器互相通信

    docker启动时,会在宿主主机上创建一个名为docker0的虚拟网络接口,默认选择172.17.42.1/16,一个16位的子网掩码给容器提供了65534个IP地址.docker0只是一个在绑定到这 ...

  5. 六天玩转javascript:javascript变量与表达式(2)

    本系列内容为本人平时项目实践和参照MDN,MSDN,<javascript语言精粹>,<Effective Javascript>等资料,并且整理自己EverNote的日常积累 ...

  6. ContentControl 与 ViewModel (二)

    上文说到 可以使用DataTemplateSelector. 其实等于是用 DataTemplateSelector + 动态创建DataTemplate来实现. using System; usin ...

  7. 消灭ASP.NET CachedPathData.ValidatePath引起的HttpException异常

    在博客程序的日志中经常会出现这样的错误日志: Url: http://www.cnblogs.com/cmt/p/sokcet_memory_leak.html (这个URL仅是示例)UserAgen ...

  8. C语言 栈 链式结构 实现

    一个C语言链式结构实现的栈 mStack (GCC编译). /** * @brief C语言实现的链式结构类型的栈 * @author wid * @date 2013-10-30 * * @note ...

  9. Spec模板

    Spec模板      一.概述   1.项目背景    图书馆在正常运营中面对大量书籍.读者信息以及两者间相互联系产生的借书信息.还书信息.现有的人工记录方法既效率低又错误过多,大大影响了图书馆   ...

  10. AJAX跨域调用相关知识-CORS和JSONP(引)

    AJAX跨域调用相关知识-CORS和JSONP 1.什么是跨域 跨域问题产生的原因,是由于浏览器的安全机制,JS只能访问与所在页面同一个域(相同协议.域名.端口)的内容. 但是我们项目开发过程中,经常 ...