stackoom
  简体   繁体   中英

Cannot handle multiline input from filebeats in logstash with grok

 原文  2017-12-22 11:04:36       elasticsearch/ logstash/ groc

Question

I am new with logstash and I have the following multiline input in logstash from filebeats:

"message":"[step info]\\nstep: 3\\ngrammar name: grammar1\\nnoInputTimeout: 6000\\nstep stream idle time: 14910\\nstep stream start time: 2017-12-01 17:06:10.024\\nrec start time: 2017-12-01 17:06:09.994\\nrec finish time: 2017-12-01 17:06:12.748\\nsystem prompt duration: 570\\nuser barged in: true\\nuser noInput time: 0\\nuser speech duration: 1190\\nspeech start trigger: 8265\\nspeech start on rec: 7945\\nspeech end trigger: 8415\\nspeech end on rec: 9135\\nrec completion cause: 000 success\\nrec completion type: SR\\nrec result: onetwothreefour\\nrec inputMode: speech\\nRTF: 0.47\\nrec process time: 557\\nrec latency: 61\\nrec post delay: 62"

I am trying to find a pattern with grok but nothing is working. I also tried it with split and mutate but cannot manage to make it work.

1 answers

solution1
 0 ACCPTED  2017-12-23 16:30:01

This is just a pointer for you to try but the KV filter , (key value filter) may help.

Looking at your example you could do something like this. 

kv {
  source => "message"
  field_split => "\n"
  value_split => ":"
}

This would take your example of 

"message":"[step info]\nstep: 3\ngrammar name: grammar1\nnoInputTimeout: 6000\nstep stream idle time: 14910\nstep stream start time: 2017-12-01 17:06:10.024\nrec start time: 2017-12-01 17:06:09.994\nrec finish time: 2017-12-01 17:06:12.748\nsystem prompt duration: 570\nuser barged in: true\nuser noInput time: 0\nuser speech duration: 1190\nspeech start trigger: 8265\nspeech start on rec: 7945\nspeech end trigger: 8415\nspeech end on rec: 9135\nrec completion cause: 000 success\nrec completion type: SR\nrec result: onetwothreefour\nrec inputMode: speech\nRTF: 0.47\nrec process time: 557\nrec latency: 61\nrec post delay: 62"

And split on the \\n char, then create key value pairs out of the examples you have, the left hand side would be the field name and the right hand side would be the value. 

step: 3
grammar name: grammar1
noInputTimeout: 6000
step stream idle time: 14910
step stream start time: 2017-12-01 17:06:10.024
rec start time: 2017-12-01 17:06:09.994
rec finish time: 2017-12-01 17:06:12.748

If you need to split out the [step info] then you would need to provide more examples, but I would be using greedydata to basically split you're content into 2 fields, 1 for [step info] and 1 for [step lines] and pass split lines as the source field for KV filter above.

Hope this points you in the right direction.

E.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Why is my grok filter not parsing my filebeats messages ? I cannot see the logstash parsed field in Kibana (ELK) Parse multiline JSON with grok in logstash Logstash and grok : Variables name determined from input Parse Multiline JSON with Arrays using grok in logstash Facing Issue while sending data from Filebeats to Multiple Logstash files Unable to push multiline events from Filebeat S3 input to Logstash Multiple Logstash instances vs Filebeats Logstash - Add fields from the log - Grok Logstash Beats Input - multiple multiline codec Grok pattern for Logstash using HTTP POST request as input
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM