无法使用grok处理logstash中文件拍的多行输入
[英]Cannot handle multiline input from filebeats in logstash with grok
问题描述
I am new with logstash and I have the following multiline input in logstash from filebeats: 
我是Logstash的新手,并且在来自文件拍的Logstash中有以下多行输入:
"message":"[step info]\\nstep: 3\\ngrammar name: grammar1\\nnoInputTimeout: 6000\\nstep stream idle time: 14910\\nstep stream start time: 2017-12-01 17:06:10.024\\nrec start time: 2017-12-01 17:06:09.994\\nrec finish time: 2017-12-01 17:06:12.748\\nsystem prompt duration: 570\\nuser barged in: true\\nuser noInput time: 0\\nuser speech duration: 1190\\nspeech start trigger: 8265\\nspeech start on rec: 7945\\nspeech end trigger: 8415\\nspeech end on rec: 9135\\nrec completion cause: 000 success\\nrec completion type: SR\\nrec result: onetwothreefour\\nrec inputMode: speech\\nRTF: 0.47\\nrec process time: 557\\nrec latency: 61\\nrec post delay: 62"
I am trying to find a pattern with grok but nothing is working. 我正在尝试找到带有grok的图案,但没有任何效果。 I also tried it with split and mutate but cannot manage to make it work. 我也尝试了split和mutate,但无法使其正常工作。
1 个解决方案
解决方案1
0 已采纳 2017-12-23 16:30:01
This is just a pointer for you to try but the KV filter , (key value filter) may help. 这只是您尝试使用的指针,但是KV过滤器 (键值过滤器)可能会有所帮助。
Looking at your example you could do something like this. 查看您的示例,您可以执行以下操作。
kv {
source => "message"
field_split => "\n"
value_split => ":"
}
This would take your example of 这将以您为例
"message":"[step info]\nstep: 3\ngrammar name: grammar1\nnoInputTimeout: 6000\nstep stream idle time: 14910\nstep stream start time: 2017-12-01 17:06:10.024\nrec start time: 2017-12-01 17:06:09.994\nrec finish time: 2017-12-01 17:06:12.748\nsystem prompt duration: 570\nuser barged in: true\nuser noInput time: 0\nuser speech duration: 1190\nspeech start trigger: 8265\nspeech start on rec: 7945\nspeech end trigger: 8415\nspeech end on rec: 9135\nrec completion cause: 000 success\nrec completion type: SR\nrec result: onetwothreefour\nrec inputMode: speech\nRTF: 0.47\nrec process time: 557\nrec latency: 61\nrec post delay: 62"
And split on the \\n char, then create key value pairs out of the examples you have, the left hand side would be the field name and the right hand side would be the value. 然后在\\ n char上分割,然后从您拥有的示例中创建键值对,左侧将是字段名称,右侧将是值。
step: 3
grammar name: grammar1
noInputTimeout: 6000
step stream idle time: 14910
step stream start time: 2017-12-01 17:06:10.024
rec start time: 2017-12-01 17:06:09.994
rec finish time: 2017-12-01 17:06:12.748
If you need to split out the [step info] then you would need to provide more examples, but I would be using greedydata to basically split you're content into 2 fields, 1 for [step info] and 1 for [step lines] and pass split lines as the source field for KV filter above. 如果您需要拆分[step info],则需要提供更多示例,但我将使用greedydata基本上将您的内容拆分为2个字段,其中1个为[step info],1个为[step lines]。并将分隔线作为上方KV滤波器的源字段。
Hope this points you in the right direction. 希望这能为您指明正确的方向。
E. E.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.