![](/img/trans.png)
[英]logstash grok multiline - how to merge to previous line any line that doesn't start with timestamp
[英]Multiline in Logstash with timestamp in each line
我有一个写在文件中的多行日志,如下所示:
INFO | jvm 1 | main | 2014/11/06 13:41:30.112 | ERROR [appHTTP50] [appEmployeeAuthenticationProvider] Can't login with username 'username'
INFO | jvm 1 | main | 2014/11/06 13:41:30.112 | org.framework.security.authentication.BadCredentialsException: Bad credentials
INFO | jvm 1 | main | 2014/11/06 13:41:30.112 | at de.app.platform.security.CoreAuthenticationProvider.authenticate(CoreAuthenticationProvider.java:133)
INFO | jvm 1 | main | 2014/11/06 13:41:30.112 | at ca.canadiantire.security.appEmployeeAuthenticationProvider.authenticate(appEmployeeAuthenticationProvider.java:39)
INFO | jvm 1 | main | 2014/11/06 13:41:30.112 | at org.framework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
INFO | jvm 1 | main | 2014/11/06 13:41:30.112 | at org.framework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)
但是,下面的行在开始的轨迹的每一行中:
信息| jvm 1 | 主| 2014/11/06 13:41:30.112 |
有谁知道如何将这一行留在“错误”附近的开始处,并用grok将该行的这一部分放到跟踪中,并在Logstash中作为一条消息获得完整的跟踪? 欢迎任何其他解决方案。
我认为gsub {}是答案。 要么有一个条件节,它将从后续行中删除前言,例如:
if [message] !~ /\| ERROR / {
mutate {
gsub => [ "message", "^.* \| ", "" ]
}
}
如果它是“贪婪的”,可能会给您这样的一行:
org.framework.security.authentication.BadCredentialsException: Bad credentials
然后可以与后续的multiline {}过滤器结合使用。
显然,您需要使两个正则表达式都足够通用,以处理您期望的每个日志级别。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.