我正在打印以下日志消息
{"timestamp":"15-06-2020 22:12:35","level":"INFO","thread":"http-nio-8080-exec-2","mdc":{"Z-Request-Id":"20200615101234-2c078173-66c2-49ce-93ec-40dfab2a7312","destination":"backendorg"},"logger":"com.AbcHandler","message":"host: localhost, port: 9200, index: zindex and protocol: http","context":"ZPlatform"}
{"timestamp":"15-06-2020 22:12:35","level":"INFO","thread":"http-nio-8080-exec-2","mdc":{"Z-Request-Id":"20200615101234-2c078173-66c2-49ce-93ec-40dfab2a7312","destination":"backendorg"},"logger":"com.AbcHandler","message":"batchNumber: 1 and batchSize: 50","context":"ZPlatform"}
使用多行编解码器解析以上消息,下面是我的logstash配置文件
input {
file {
start_position => "end"
sincedb_path => "/tmp/sincedb_file"
codec => multiline {
pattern => "^Spalanzani"
negate => true
what => previous
}
}
}
filter {
if [type] == "app" {
grok {
match => [ "message","%{GREEDYDATA:jsonstring}"]
}
json {
source => "jsonstring"
target => "parsedJson"
remove_field=>["jsonstring"]
}
mutate {
add_field => {
"frontendDateTime" => "%{[parsedJson][timestamp]}"
"logMessage" => "%{[parsedJson][message]}"
}
}
mutate {
remove_field => [ "parsedJson" ]
}
}
}
但是我所看到的上述所有信息都聚集在一起。不知道为什么会这样。它应该显示不同的日志消息
{
"tags" => [
[0] "multiline"
],
"message" => "{\"timestamp\":\"15-06-2020 22:12:35\",\"level\":\"INFO\",\"thread\":\"http-nio-8080-exec-2\",\"mdc\":{\"Z-Request-Id\":\"20200615101234-2c078173-66c2-49ce-93ec-40dfab2a7312\",\"destination\":\"backendorg\"},\"logger\":\"com.AbcHandler\",\"message\":\"host: localhost, port: 9200, index: zindex and protocol: http\",\"context\":\"ZPlatform\"}\n{\"timestamp\":\"15-06-2020 22:12:35\",\"level\":\"INFO\",\"thread\":\"http-nio-8080-exec-2\",\"mdc\":{\"Z-Request-Id\":\"20200615101234-2c078173-66c2-49ce-93ec-40dfab2a7312\",\"destination\":\"backendorg\"},\"logger\":\"com.AbcHandler\",\"message\":\"batchNumber: 1 and batchSize: 50\",\"context\":\"ZPlatform\"}",
"logMessage" => "search string: ",
"@timestamp" => 2020-06-15T16:42:38.256Z
}
有人可以帮我吗