Logstash:将存储在日志中的多行堆栈跟踪解析为单个事件?

时间:2020-09-14 20:03:48

标签: parsing logstash multiline

具有多行输出的日志文件,例如作为单独事件存储的堆栈跟踪。该日志文件由syslog客户端创建。 Syslog客户端使用换行符作为分隔符,因此堆栈跟踪中的每个新行在syslog文件中显示为一个事件。尝试检查在logstash中是否有可能将其解析为单个事件。此syslog日志文件仅具有堆栈跟踪

想在日志正文中使用时间戳作为解析日志的定界符

** logstash输入文件Syslog.log ** 

Sep  7 22:23:26 prod-sandbox-srv-1 be-srvc: ====================================
Sep  7 22:23:26 prod-sandbox-srv-1 be-srvc: Timestamp: 2020-09-07 16:23:52.196
Sep  7 22:23:26 prod-sandbox-srv-1 be-srvc: at com.example.myproject.Book.getTitle(Book.java:16)
Sep  7 22:23:26 prod-sandbox-srv-1 be-srvc: at com.example.myproject.Author.getBookTitles(Author.java:25)
Sep  7 22:23:26 prod-sandbox-srv-1 be-srvc: at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
Sep  7 22:23:26 prod-sandbox-srv-1 be-srvc: ====================================
Sep  8 22:23:26 prod-sandbox-srv-1 be-srvc: Timestamp: 2020-09-08 16:23:52.196
Sep  8 22:23:26 prod-sandbox-srv-1 be-srvc: at com.example.myproject.Book.getTitle(Book.java:16)
Sep  8 22:23:26 prod-sandbox-srv-1 be-srvc: at com.example.myproject.Author.getBookTitles(Author.java:25)
Sep  8 22:23:26 prod-sandbox-srv-1 be-srvc: at com.example.myproject.Bootstrap.main(Bootstrap.java:14)

期望将其解析为结构化格式并以弹性方式存储

预期o / p 

timestamp: "2020-09-07 16:23:52.196"
stack_trace: "Exception in thread main java.lang.NullPointerException
        at com.example.myproject.Book.getTitle(Book.java:16)
        at com.example.myproject.Author.getBookTitles(Author.java:25)
        at com.example.myproject.Bootstrap.main(Bootstrap.java:14)"

0 个答案:

没有答案
相关问题
最新问题