[英]Which grok pattern for logstash multiline with different event dividers
I have a log file (zope/plone event.log) which using custom string (eg "-----") as divider between events, how grok pattern for parsing this log file to logstash should be? 我有一个日志文件(zope / plone event.log),该日志文件使用自定义字符串(例如“ -----”)作为事件之间的分隔符,用于将此日志文件解析为logstash的grok模式应该如何?
This is an example how the log look like: 这是一个示例,日志如下所示:
------
2014-07-21T12:13:30 INFO ZServer HTTP server started at Mon Jul 21 12:13:30 2014
Hostname: localhost
Port: 8401
------
2014-07-21T12:13:44 WARNING SecurityInfo Conflicting security declarations for "setText"
------
2014-07-21T12:13:44 WARNING SecurityInfo Class "ATTopic" had conflicting security declarations
------
2014-07-21T12:13:47 INFO DocFinderTab Applied patch version 1.0.5.
You should start with the multiline codec or filter to create a single event for processing. 您应该从多行编解码器或过滤器开始创建一个要处理的事件。
EDIT: 编辑:
The doc gives this example: 该文档给出了以下示例:
filter {
multiline {
pattern => "pattern, a regexp"
negate => boolean
what => "previous" or "next"
}
}
And describes what 'negate' and 'what' do. 并描述“求反”和“做什么”。 Hopefully 'pattern' make sense.
希望“模式”有意义。
So, how about "every line that doesn't start with a date belongs with the prior line"? 那么,“每个不以日期开头的行都属于前一行”呢? That might be something like this:
可能是这样的:
filter {
multiline {
negate => 'true'
pattern => "^%{TIMESTAMP_ISO8601} "
what => 'previous'
}
}
You'd be left with the "----" at the end of each line. 每行末尾都带有“ ----”。 Since you don't need them as delimiters, you can get rid of them (before the multiline filter stanza):
由于不需要它们作为定界符,因此可以摆脱它们(在多行过滤器节之前):
if message =~ /^-+$/ {
drop{}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.