我是弹性堆栈的新手,我正在尝试首次解析多行日志。 (像这样)
2018-06-04 13:42:01,436 INFO (main) [en.vke.ultil.ServerStateChecker] - Server is not ready yet : Could not obtain connection to any of these urls: 127.0.0.1:1099 and discovery failed with error: javax.naming.CommunicationException: Receive timed out [Root exception is java.net.SocketTimeoutException: Receive timed out]
at $Proxy11.getServerState(Unknown Source)
Caused by: java.net.SocketTimeoutException: Receive timed out
我正在使用此grok过滤器:
%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:loglevel} (%{DATA:info}) %{SYSLOG5424SD:service} - (?m)%{GREEDYDATA:logmessage}
以及我输入中的此多行配置:
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601} "
negate => true
what => "previous"
}
当我使用stdout编解码器显示输出时,它可以按我想要的方式工作
Server is not ready yet : Could not obtain connection to any of these urls: 127.0.0.1:1099 and discovery failed with error: javax.naming.CommunicationException: Receive timed out [Root exception is java.net.SocketTimeoutException: Receive timed out]
at $Proxy11.getServerState(Unknown Source)
Caused by: java.net.SocketTimeoutException: Receive timed out
在“ logmessage”字段中。 但是,当我查询elasticsearch以查看数据时,该字段为空,行未解析,但它们写在该字段之外。
我不知道为什么它的行为有所不同,所以我需要一些帮助或提示来帮助我解决此问题。
谢谢!