在 ELK 中,如何防止 filebeat 将多个日志行分组/集群到单个文档中?
[英]In ELK, how to prevent filebeat grouping/clustering multiple log lines into single document?
问题描述
我正在尝试将日志索引到 elasticsearch。
为了支持我的 Java 日志的多行,我在 filebeat.yml 中包含了以下配置。 我不确定 grok 模式是否适用于filebeat ,但我的要求是日志应仅以时间戳开头!
filebeat.prospectors:
- type: log
paths:
- /ofbiz/runtime/logs/*.log
fields:
docType: app-logs
document_type: app-logs
multiline.type: pattern
multiline.pattern: "^%{TIMESTAMP_ISO8601}"
multiline.negate: true
multiline.match: after
ignore_older: 24h
close_inactive: 60m
fields:
env: dev
project: Ofbiz-Backend
output:
logstash:
enabled: true
hosts:
- elk:5044
timeout: 15
ssl.enabled: false
但是我可能会遗漏一些东西,因此成批的预期日志行包含在单个文档中。
我的预期结果是这些日志应该单独索引!
自上周以来,我尝试了所有我探索过的解决方案,其中包括将流式日志直接传输到弹性搜索和使用摄取管道,将negate和match的配置更改为每个可能的组合! 我没能成功!
示例日志行如下:
2021-11-26 08:35:04,719 |OFBiz-JobQueue-0 |PersistedServiceJob |E| PersistedServiceJob.getContext(): SAXException
org.xml.sax.SAXParseException: Character reference "�" is an invalid XML character.
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source) ~[xercesImpl-2.9.1.jar:?]
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source) ~[xercesImpl-2.9.1.jar:?]
at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:121) ~[?:1.8.0_275]
at org.apache.ofbiz.base.util.UtilXml.readXmlDocument(UtilXml.java:457) ~[ofbiz.jar:?]
at org.apache.ofbiz.base.util.UtilXml.readXmlDocument(UtilXml.java:371) ~[ofbiz.jar:?]
at org.apache.ofbiz.entity.serialize.XmlSerializer.deserialize(XmlSerializer.java:97) ~[ofbiz.jar:?]
at org.apache.ofbiz.service.job.PersistedServiceJob.getContext(PersistedServiceJob.java:293) [ofbiz.jar:?]
at org.apache.ofbiz.service.job.GenericServiceJob.exec(GenericServiceJob.java:70) [ofbiz.jar:?]
at org.apache.ofbiz.service.job.AbstractJob.run(AbstractJob.java:87) [ofbiz.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_275]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_275]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_275]
2021-11-26 08:35:04,719 |OFBiz-JobQueue-0 |PersistedServiceJob |E| Job context is null
2021-11-26 08:35:04,719 |OFBiz-JobQueue-0 |ModelService |E| [ModelService.validate] : {sendProjectStatusNotification} : (IN) Required test error: org.apache.ofbiz.service.ServiceValidationException: The following required parameter is missing: [IN] [sendProjectStatusNotification.createdByPartyId]The following required parameter is missing: [IN] [sendProjectStatusNotification.projectId]The following required parameter is missing: [IN] [sendProjectStatusNotification.statusId]The following required parameter is missing: [IN] [sendProjectStatusNotification.title]The following required parameter is missing: [IN] [sendProjectStatusNotification.toRecipients]
2021-11-26 08:35:04,719 |OFBiz-JobQueue-0 |ServiceDispatcher |E| Incoming context (in runSync : sendProjectStatusNotification) does not match expected requirements
0 个解决方案
使用ELK的Filebeat>如何有效地为每个日志文件建立索引
[英]Filebeat with ELK > how to build indices per log file efficiently
如何在Filebeat / ELK中为不同的日志定义分离的索引?
[英]How to define seperated indexes for different logs in Filebeat/ELK?
如果日志包含特定字段,如何限制Filebeat仅将日志发送到ELK?
[英]How to constrain Filebeat to only ship logs to ELK if they contain a specific field?
如何使用 Elastic APM、Metricbeat 和 Filebeat 在 Kubernetes (AKS) 中安装 ELK?
[英]How to install ELK in Kubernetes (AKS) with Elastic APM, Metricbeat and Filebeat?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
如何保护 ELK 和 Filebeat?
使用ELK的Filebeat>如何有效地为每个日志文件建立索引
如何从 kubernetes 卸载 ELK filebeat?
如何防止旧日志从文件拍追加到Logstash?
ELK和Filebeat配置
ELK堆栈中的Logstash和filebeat
如何在Filebeat / ELK中为不同的日志定义分离的索引?
如果日志包含特定字段,如何限制Filebeat仅将日志发送到ELK?
如何使用 Elastic APM、Metricbeat 和 Filebeat 在 Kubernetes (AKS) 中安装 ELK?
ELK:如何处理两行数据?
相关标签