我正在使用Filebeat-> logstash-> eleasticsearch-> kibana

时间:2016-03-03 16:02:34

标签: logstash

我们使用Kibana仪表板实现了filebeat,logstash,elastic,以查看操作日志内容。我有一种情况,我从这样的不同服务获取日志:例如,一个服务,我们收集了这种格式的操作日志。

timestamp <uniquerID> entry: ProcessAPI{AddEmployee} :hostname
timestamp <uniquerID> send: UserAPI{ValidateUser} :hostname
timestamp <uniquerID> receive: UserAPI{ValidateUser} :hostname
timestamp <uniquerID> send: AccountAPI{ValidateAccount} :hostname
timestamp <uniquerID> receive: AccountAPI{ValidateAccount} :hostname
timestamp <uniquerID> exit: ProcessAPI{AddEmployee} :hostname

I want to combine these log line to a single line like below format:

timestamp <uniquerID> Exit:ProcessAPI{AddEmployee} :hostname| UserAPI{ValidateUser} :hostname |  AccountAPI{ValidateAccount} :hostname

Each log line has associated parent service name in the source field.Is there any solution we can adopt to achive this.

1 个答案:

答案 0 :(得分:0)

您必须使用多行编解码器作为输入的一部分,告诉logstash您有多行日志格式。它可能很复杂,并且取决于日志文件条目的特定格式,以便正确设置编解码器。

https://www.elastic.co/guide/en/logstash/current/plugins-codecs-multiline.html

相关问题
最新问题