Question

我有一个简单明了的配置，我不确定我在尝试使这条多线工作时做错了什么。

input {
    gelf {
        codec => multiline {
            pattern => "^%{TIMESTAMP_ISO8601} "
            negate => true
            what => "previous"
        }
    }
}

filter {}

output {
    # I have the relevant ES hosts & index here
    elasticsearch { }
    stdout {
        codec => rubydebug
    }
}

我正在测试它如下，我得到单行，多行标记没有添加，我在logstash调试日志中看到事件逐个通过过滤器。

docker run -it --log-driver gelf --log-opt gelf-address=udp://127.0.0.1:12201 \
    --log-opt tag=mline-test python:alpine \
    python -c 'print("[2017-10-18 00:00:00,000] Hello world");assert False'

我使用logstash版本5.5.2＆amp; 5.6.3 =＆gt; elasticsearch 5.5
我安装了logstash-codec-multiline
我知道我可以使用logstash 2.4

Answer 1

我发现gelf输入插件中忽略了编解码器：logstash-plugins/logstash-input-gelf#37

这意味着gelf唯一的多行选项是使用logstash-2.4并获得单线程性能。

Settings: Default pipeline workers: 4
Defaulting pipeline worker threads to 1 because there are some filters that might not work with multiple worker threads {:count_was=>4, :filters=>["multiline"], :level=>:warn}
Pipeline main started

logstash-5.x gelf输入多行编解码器不起作用

1 个答案: