我已经搜索了SO,当然还有选择的搜索引擎,但没有找到有效的解决方案。
我尝试用logstash解析多行日志文件而没有任何成功。
日志文件如下所示:
appl.log
2014-02-31 11:06:55,268 - WARN main com.applicationname.commons.shop.OrderDetails
java.lang.NullPointerException
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
2014-02-31 11:06:55,268 - WARN main com.applicationname.commons.shop.OrderDetails
java.lang.NullPointerException
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
AFAIK以" \ t ...开头的行"
我对logstash的当前(非工作版本)conf看起来像:
logstash.conf
input =>
input {
file {
path => "/var/log/appl.log"
type => "appl"
codec => multiline {
negate => true
pattern => "^\s"
what => "previous"
}
}
}
filter =>
filter {
if [type] == "appl" {
grok {
add_tag => [ "groked" ]
match => ["message", ".*"]
remove_tag => ["_grokparsefailure"]
}
}
}
欢迎使用正确方向进行工作多线过滤器。
答案 0 :(得分:3)
试试这个:
input =>
input {
file {
path => "/var/log/appl.log"
type => "appl"
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601} "
negate => true
what => "previous"
}
}
}
filter =>
filter {
if [type] == "appl" {
grok {
add_tag => [ "groked" ]
match => ["message", ".*"]
remove_tag => ["_grokparsefailure"]
}
}
}