日志文件中时间戳的logstash多行关联

时间:2018-08-29 21:54:56

标签: logstash multiline

在遇到日志行中的时间字段后,我目前正在尝试将行与该时间字段相关联。

示例日志:

06-26-18 03:58:51 AM 顶部-03:58:51最多84天,2:05,0用户,平均负载:0.01,0.08,0.12 任务:总计835,正在运行1,正在睡眠833,已停止0,僵尸1 Cpu:1.3%us,0.4%sy,0.0%ni,98.3%id,0.0%wa,0.0%hi,0.0%si,0.0%st 内存:总计65695260k,已使用54419828k,免费11275432k,缓冲286076k 交换:总6143996k,已使用0k,免费6143996k,已缓存39933352k

PID用户PR NI VIRT RES SHR S%CPU%MEM TIME +命令 15213 avendato 20 0 19.9g 670m 19m S 3.6 1.0 2902:06 / usr / java / default / bin / java -Djava.util.logging.config.file = / var / avenda / tomcat / backend / co 6889 appuser 20 0 13.7g 911m 33m S 2.6 1.4 2942:16 / usr / local / avenda / tips / sbin / policy_server

06-26-18 11:57:48下午 6711根20 0 109m 1252 1040 S 0.0 0.0 5:48.79 awk / top-/ {print strftime(“%m-%d-%y%r”)} 1 6712根20 0 27020 1204 916 S 0.0 0.0 0:24.81 / usr / sbin / rotatelogs /var/avenda/platform/log/system-load-monitor//system-load.%Y-%m-%d。 7183根20 0 0 0 0 S 0.0 0.0 0:00.00 [kworker / 1:2] 8408 postgres 20 0 16.4g 17m 8160 S 0.0 0.0 0:00.05 postgres:appuser tipsdb [local]空闲

06-26-18 11:57:48下午 顶部-23:57:48最多84天,22:04、0个用户,平均负载:0.33、0.23、0.23 任务:总共833个,正在跑步1个,正在睡觉831个,停止0个,丧尸1个 Cpu(s):1.4%us,0.4%sy,0.0%ni,98.1%id,0.0%wa,0.0%hi,0.0%si,0.0%st 内存:总计65695260k,已使用55910064k,免费9785196k,缓冲区286240k 掉期:总计6143996k,已使用0k,免费6143996k,已缓存41379668k

PID用户PR NI VIRT RES SHR S%CPU%MEM TIME +命令 8216 postgres 20 0 16.3g 50m 32m S 4.4 0.1 0:14.68 postgres:appsuperuser tipsdb 127.0.0.1(36820)空闲 15213 avendato 20 0 19.9g 671m 19m S 4.0 1.0 2943:49 / usr / java / default / bin / java-

我希望每一行都与上面找到的时间戳相关联。有人可以帮我建立联系吗?

以下是我尝试过的内容:

输入:

file{
    sincedb_path => "/dev/null"
    path => ["///xyz-2018-12-25.log"]
    start_position => "beginning"
    type => "log-top"
    tags => ["top"]
    codec => multiline{
    patterns_dir => ["//etc/logstash/conf.d/patterns/patterns.conf"]
    pattern => "^%{DATETIME}"
    negate => true
    what => previous
    }
}

过滤器:

if ( "PID USER" in [message] or [message]==""){
    drop{}
}
else if([message]=~/( AM)/ or [message]=~ /( PM)/){
      grok{
               patterns_dir => ["//etc/logstash/conf.d/patterns/patterns.conf"]
               match=>["message","%{DATETIME:logtime}"]
       }
      date{
               match=> ["message","MM-dd-yy hh:mm:ss aa"]
               target=> "@timestamp"
               locale => "en"
       }
}
else if([message]=~ /(top -.*)/){
        grok{
                patterns_dir => ["//etc/logstash/conf.d/patterns/patterns.conf"]
                match => ["message","%{NOTSPACE:junk} +%{NOTSPACE:junk} %{HOUR:hour}:%{MINUTE:minute}:%{SECOND:seconds} +%{NOTSPACE:state} +%{SINCE:since}, +%{NUMBER:num-of-users:int} +%{NOTSPACE:junk} +%{NOTSPACE:junk} +%{NOTSPACE:junk} +%{NUMBER:load-avg-5min:float}, +%{NUMBER:load-avg-10min:float}, +%{NUMBER:load-avg-15min:float}"]
        }
}
else if([message]=~ /(Tasks:.*)/){
        grok{
                match => ["message","%{NOTSPACE:junk} %{NUMBER:total-task:int} +%{NOTSPACE:junk}, +%{NUMBER:running-task:int} +%{NOTSPACE:junk}, +%{NUMBER:sleeping:int} +%{NOTSPACE:junk}, +%{NUMBER:stopped:int} +%{NOTSPACE:junk}, +%{NUMBER:zombie:int} +%{NOTSPACE:junk}"]
        }
}
else if([message]=~ /(Cpu\(s\):.*)/){
        grok{
                match => ["message","%{NOTSPACE:junk} +%{NUMBER:user-cpu-percent:float}%+%{NOTSPACE:junk}, +%{NUMBER:sys-cpu-percent:float}%+%{NOTSPACE:junk}, +%{NUMBER:nice-cpu-percent:float}%+%{NOTSPACE:junk}, +%{NUMBER:idle-cpu-percent:float}%+%{NOTSPACE:junk}, +%{NUMBER:wait-cpu-percent:float}%+%{NOTSPACE:junk}, +%{NUMBER:hi-cpu-percent:float}%+%{NOTSPACE:junk}, +%{NUMBER:si-cpu-percent:float}%+%{NOTSPACE:junk}, +%{NUMBER:st-cpu-percent:float}%+%{NOTSPACE:junk}"]
       }
}

 else if([message]=~ /(Mem:.*)/){
        grok{
                match => ["message","%{NOTSPACE:junk} +%{NUMBER:total-mem:int}+%{NOTSPACE:total-mem-unit} +%{NOTSPACE:junk} +%{NUMBER:used-mem:int}+%{NOTSPACE:used-mem-unit} +%{NOTSPACE:junk} +%{NUMBER:free-mem:int}+%{NOTSPACE:free-mem-unit} +%{NOTSPACE:junk} +%{NUMBER:buf-mem:int}+%{NOTSPACE:buf-mem-unit} +%{NOTSPACE:junk}"]
        }
}
else if([message]=~ /(Swap:.*)/){
        grok{
                match => ["message","%{NOTSPACE:junk} +%{NUMBER:total-swap:int}+%{NOTSPACE:total-swap-unit} +%{NOTSPACE:junk} +%{NUMBER:used-swap:int}+%{NOTSPACE:used-swap-unit} +%{NOTSPACE:junk} +%{NUMBER:free-swap:int}+%{NOTSPACE:free-swap-unit} +%{NOTSPACE:junk} +%{NUMBER:cache-swap:int}+%{NOTSPACE:cache-swap-unit} +%{NOTSPACE:junk}"]
        }
}

else {
        grok{
                match=>["message","%{NUMBER:process-id:int} +%{NOTSPACE:user} +%{NOTSPACE:priority} +%{NUMBER:nice} +%{NOTSPACE:virt-mem-size} +%{NOTSPACE:reside-mem-size} +%{NOTSPACE:shared-mem-size} +%{NOTSPACE:process-status} +%{NUMBER:proc-cpu-use-percent:float} +%{NUMBER:proc-mem-use-percent:float} +%{NOTSPACE:cpu-time} +%{GREEDYDATA:command}"] 
        }
}
mutate {
        remove_field => ["@version","path","host","junk_perc","junk"]
}

我在模式文件中将模式DATETIME定义为:DATETIME%{DATE} +%{HOUR}:%{MINUTE}:%{SECOND} +%{WORD}。

我在与多行编解码器关联时遇到问题。对于没有时间戳记的行,输出仍显示为带logstash运行时的时间戳,在示例输入中以粗体显示。

我在https://discuss.elastic.co/t/associating-log-lines-with-timestamp-in-log-line/144979 12天前提到的同一条帖子没有得到任何回应

有人可以最早帮助我吗? 预先感谢

0 个答案:

没有答案
相关问题
最新问题