我具有以下logstash配置,用于从kafka中读取类似syslog的消息:
input {
kafka {
bootstrap_servers => "172.24.0.3:9092"
topics => ["test"]
}
}
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP}" }
}
}
output {
stdout { codec => rubydebug }
}
因此,当在logstash输入中发送syslog行时,将在stdout中生成以下消息:
FROM卡夫卡
r = p1.send('test', b'Jul 16 09:07:47 ubuntu user: test500')
STDOUT
{
"message" => "Jul 16 09:07:47 ubuntu user: test500",
"@version" => "1",
"@timestamp" => 2018-07-16T12:29:57.854Z,
"host" => "6d87dde4c74e"
}
现在,我想在每行的末尾添加多行\n字符,logstash将输入作为两条分离的消息进行处理,以使logstash stdout与以下示例类似:
同一信息中来自卡夫卡的多行
r = p1.send('test', b'Jul 16 09:07:47 ubuntu user: test501\nJul 16 09:07:47 ubuntu user: test502')
期望的标准输出
{
"message" => "Jul 16 09:07:47 ubuntu user: test501",
"@version" => "1",
"@timestamp" => 2018-07-16T12:29:57.854Z,
"host" => "6d87dde4c74e"
}
{
"message" => "Jul 16 09:07:47 ubuntu user: test502",
"@version" => "1",
"@timestamp" => 2018-07-16T12:29:57.854Z,
"host" => "6d87dde4c74e"
}
有什么想法可以在logstash上实现这种行为吗?
答案 0 :(得分:0)
我通过使用行编解码器实现了上述行为:
input {
kafka {
bootstrap_servers => "172.24.0.3:9092"
topics => ["test"]
## ## ## ## ##
codec => line
## ## ## ## ##
}
stdin {}
}