为什么不根据grok'd字段Logstash多行合并行?
[英]Why won't Logstash multiline merge lines based on grok'd field?
问题描述
I'm trying to get logstash multiline to work with the following test file: 
我正在尝试使用logstash multiline来处理以下测试文件:
val=abc
123 abc
test
and using the following config for the filter: 并使用以下配置过滤器:
filter
{
if [message] =~ "val"
{
match => ["message", "val=%{WORD:calc}"
}
multiline
{
pattern => [calc]
what => "next"
}
}
The output shows up as follows (with the other fields stripped): 输出显示如下(其他字段被剥离):
"message" => "val=abc"
"calc" => "abc"
...
"message" => "123 abc"
The above lets me know that the grok is matching (hence the "calc" field) but I'm not sure why the multiline isn't merging the the first and 2nd line 上面让我知道grok匹配(因此“calc”字段),但我不确定为什么多行不合并第一行和第二行
1 个解决方案
解决方案1
2 已采纳 2014-07-24 07:56:54
Do you mean if the calc field exist, the first line and the second line will merge to a single envet? 你的意思是如果calc字段存在,第一行和第二行将合并为一个envet?
If yes, the following answer can help you. 如果是,以下答案可以帮助您。 Your multiline pattern is incorrect. 您的多线模式不正确。 Please refer to this config: 请参考此配置:
input {
stdin{}
}
filter {
if [message] =~ "val"
{
grok {
match => ["message", "val=%{WORD:calc}"]
}
}
multiline
{
pattern => "(val)"
what => "next"
}
}
output {
stdout {
codec => "rubydebug"
}
}
The pattern in multiline is when the message field has the val word, you meet the pattern and it will multiline merge with the second line. 多行中的模式是当message字段具有val字时,您满足模式并且它将与第二行进行多行合并。 In your example you use [cal] that's means when the message field has the cal word, however, there is no any cal in the message field. 在您的示例中,您使用[cal] ,这意味着当message字段具有cal字时,但是, message字段中没有任何cal 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.