Question

我正在尝试为我的日志文件创建过滤器。我的日志是：

    =-=-=-=-=-=-=-=-
    Timestamp: Thursday, April 19, 2018 2:48:49 AM
    Message: HandlingID: 3
    An exception of type 'System.Exception' occurred and was caught.
    ----------------------------------------------------------------
    04/19/2018 02:48:49
    Type : System.Exception,ib, Version=4.0.0.0, Culture=neutral
    Message : TRY
    Source : 
    Help link : 
    Data : LinkedList
    TargetSite : 
    HResult : LALA
    Stack Trace : The stack trace is unavailable.
    Additional Info:

    MachineName : S
    TimeStamp : 4/19/2018 6:48:49 AM
    FullName : Some Info
    AppDomainName : AA
    ThreadIdentity : 
    WindowsIdentity : jj

    Category: Error
    Priority: 0
    EventId: 1
    Severity: Extreme
    Title:p
    Machine: S
    Application Domain: y
    Process Id: 
    Process Name: l
    Win32 Thread Id: 6
    Thread Name: 
    Extended Properties: 
    =-=-=-=-=-=-=-=-
    =-=-=-=-=-=-=-=-

//SIMILAR LOG
    =-=-=-=-=-=-=-=-

这里= - = - = - = - = - = - = - = - 表示新日志的结束和开始。我的配置文件是：

input {
beats {
        port => "5044"
    }
}
filter {
multiline {
       pattern => "^=-=-=-=-=-=-=-=-"
       negate => true
       what => previous
    }
}
output {
elasticsearch {
        hosts => [ "localhost:9200" ]
    }
}

这为每个日志创建了2个文档（行）。一个包含分隔符+日志，另一个包含分隔符。我想删除仅包含分隔符的文档。另外，请让我知道如何将我的日志分成不同的字段，如果有任何适当的文档可以帮助我形成过滤器。我是logstash的新手。

Answer 1

如果您希望包含所有新行并在每次出现=-=-=-=-=-=-=-=-时拆分日志，则可以将其与多行修饰符(?m)匹配，如下所示，

(?m)%{GREEDYDATA:log}=-=-=-=-=-=-=-=-

将输出，

{
  "log": [
    [
      "    Timestamp: Thursday, April 19, 2018 2:48:49 AM\n    Message: HandlingID: 3\n    An exception of type 'System.Exception' occurred and was caught.\n    ----------------------------------------------------------------\n    04/19/2018 02:48:49\n    Type : System.Exception,ib, Version=4.0.0.0, Culture=neutral\n    Message : TRY\n    Source : \n    Help link : \n    Data : LinkedList\n    TargetSite : \n    HResult : LALA\n    Stack Trace : The stack trace is unavailable.\n    Additional Info:\n\n    MachineName : S\n    TimeStamp : 4/19/2018 6:48:49 AM\n    FullName : Some Info\n    AppDomainName : AA\n    ThreadIdentity : \n    WindowsIdentity : jj\n\n    Category: Error\n    Priority: 0\n    EventId: 1\n    Severity: Extreme\n    Title:p\n    Machine: S\n    Application Domain: y\n    Process Id: \n    Process Name: l\n    Win32 Thread Id: 6\n    Thread Name: \n    Extended Properties: \n    "
    ]
  ]
}

您可以在https://grokdebug.herokuapp.com/

进行测试

如何在登录日志

1 个答案: