logstash合并行配置不起作用

Question

logstash合并行配置不起作用

发布于
2019-07-09

logstash合并行配置不起作用，输出的结果仍然是没有合并的结果

按照官网的配置

input {
   beats {
      port => "5044"
   }
   stdin {
     type => log
     codec => multiline {
        pattern => "^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\.\d{3}\s\[\]"
        negate => "true"
        what => "previous"
     }
   }
}

output {
   stdout {}
}

输出的结果

"@timestamp" => 2019-07-09T02:07:49.513Z,
      "@version" => "1",
          "host" => {
                   "os" => {
              "kernel" => "3.10.0-514.26.2.el7.x86_64",
            "codename" => "Core",
              "family" => "redhat",
            "platform" => "centos",
             "version" => "7 (Core)",
                "name" => "CentOS Linux"
        },
         "architecture" => "x86_64",
                   "id" => "963c2c41b08343f7b063dddac6b2e486",
             "hostname" => "newapi-server-ip156",
        "containerized" => false,
                 "name" => "newapi-server-ip156"
    },
         "input" => {
        "type" => "log"
    },
         "agent" => {
            "hostname" => "xxxxx",
                  "id" => "1c24cf79-b28e-4498-9c96-4fb86862cdc7",
                "type" => "filebeat",
             "version" => "7.2.0",
        "ephemeral_id" => "e4df9937-3a3f-4251-8229-bd5c4835295d"
    },
       "message" => "\tat org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.34.jar!/:8.5.34]",
           "ecs" => {
        "version" => "1.0.0"
    },
           "log" => {
        "offset" => 642139,
          "file" => {
            "path" => "/data/online/boot/logs/carinsurerservice/carinsurerservice.log"
        }
    }
}

我的一行的开始是日期，尝试了很多次，完全达不到官网所说的结果，官网地址mulitiline，网上很多博客也看了，和官网说法基本一致（部分博客都是错误的，根本无法实践），有没有用过这个的，看看我哪里配置错了。

elk版本 7.2

elk logstash

阅读 3.4k

1 个回答

得票最新

流浪的神明

2262817

发布于
2019-07-09

✓ 已被采纳

问题解决了
官网上写了这么一句，之前一直没注意：

If you are shipping events that span multiple lines, you need to use the configuration options available in Filebeat to handle multiline events before sending the event data to Logstash. You cannot use the Multiline codec plugin to handle multiline events. Doing so will result in the failure to start Logstash.

If you are sending multiline events to Logstash, use the options described here to handle multiline events before sending the event data to Logstash. Trying to implement multiline event handling in Logstash (for example, by using the Logstash multiline codec) may result in the mixing of streams and corrupted data.

这两段话的意思时如果使用了filebeat等多个日志输入流，就需要载输入到logstash之前把多行事物给处理调，然而filebeat中的multiline和logstash中有点不一样，部分属性是反的，一定要注意

最终的配置filebeat.yml

 ### Multiline options
  multiline.pattern: ^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\.\d{3}\s
  multiline.negate: true
  multiline.match: after

这样就可以了

撰写回答

你尚未登录，登录后可以

和开发者交流问题的细节
关注并接收问题和回答的更新提醒
参与内容的编辑和改进，让解决方法与时俱进

推荐问题

相似问题

找不到问题？创建新问题

logstash合并行配置不起作用

你尚未登录，登录后可以

如下logstash配置文件，cpu持续100%利用率，求指导问题所在哪里？

helm3安装了logstash配置好了logback，但是日志记录一直不对，如何解决？