Logstash——multiline 插件，匹配多行日志

本文内容

测试数据

[code][16-04-12 03:40:01 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.

[16-04-12 03:40:02 DEBUG] impl.JdbcEntityInserter:- from product_category product_category

where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null

order by product_category.ORDERS asc

[16-04-12 03:40:03 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.

[16-04-12 03:40:04 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.

[16-04-12 03:40:05 DEBUG] impl.JdbcEntityInserter:- from product_category product_category

where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null

order by product_category.ORDERS desc

[16-04-12 03:40:06 DEBUG] impl.JdbcEntityInserter:- from product_category product_category

where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null

order by product_category.ORDERS asc

[16-04-12 03:40:07 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.

字段属性

对 multiline 插件来说，有三个设置比较重要：negate、pattern 和 what。

negate

false

pattern

previous 或

next

按多行解析运行时日志

[code]input {

file{

path=>"/usr/local/elk/logstash/logs/c.out"

type=>"runtimelog"

codec=> multiline {

pattern => "^\["

negate => true

what => "previous"

}

start_position=>"beginning"

sincedb_path=>"/usr/local/elk/logstash/sincedb-access"

ignore_older=>0

}

}

output{

stdout{

codec=>rubydebug

}

}

[code]{

"@timestamp" => "2016-06-01T04:37:43.147Z",

"message" => "[16-04-12 03:40:01 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

"@version" => "1",

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

{

"@timestamp" => "2016-06-01T04:37:43.152Z",

"message" => "[16-04-12 03:40:02 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc",

"@version" => "1",

"tags" => [

[0] "multiline"

],

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

{

"@timestamp" => "2016-06-01T04:37:43.152Z",

"message" => "[16-04-12 03:40:03 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

"@version" => "1",

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

{

"@timestamp" => "2016-06-01T04:37:43.155Z",

"message" => "[16-04-12 03:40:04 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

"@version" => "1",

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

{

"@timestamp" => "2016-06-01T04:37:43.157Z",

"message" => "[16-04-12 03:40:05 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS desc",

"@version" => "1",

"tags" => [

[0] "multiline"

],

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

{

"@timestamp" => "2016-06-01T04:37:43.159Z",

"message" => "[16-04-12 03:40:06 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc",

"@version" => "1",

"tags" => [

[0] "multiline"

],

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

[code]input {

file{

path=>"/usr/local/elk/logstash/logs/c.out"

type=>"runtimelog"

codec=>multiline  {

pattern => "^\["

negate => true

what => "next"

}

start_position=>"beginning"

sincedb_path=>"/usr/local/elk/logstash/sincedb-access"

ignore_older=>0

}

}

output{

stdout{

codec=>rubydebug

}

}

[code]{

"@timestamp" => "2016-06-01T04:40:43.232Z",

"message" => "[16-04-12 03:40:01 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

"@version" => "1",

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

{

"@timestamp" => "2016-06-01T04:40:43.237Z",

"message" => "[16-04-12 03:40:02 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

"@version" => "1",

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

{

"@timestamp" => "2016-06-01T04:40:43.238Z",

"message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc\n[16-04-12 03:40:03 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

"@version" => "1",

"tags" => [

[0] "multiline"

],

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

{

"@timestamp" => "2016-06-01T04:40:43.239Z",

"message" => "[16-04-12 03:40:04 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

"@version" => "1",

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

{

"@timestamp" => "2016-06-01T04:40:43.244Z",

"message" => "[16-04-12 03:40:05 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

"@version" => "1",

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

{

"@timestamp" => "2016-06-01T04:40:43.245Z",

"message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS desc\n[16-04-12 03:40:06 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

"@version" => "1",

"tags" => [

[0] "multiline"

],

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

{

"@timestamp" => "2016-06-01T04:40:43.249Z",

"message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc\n[16-04-12 03:40:07 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

"@version" => "1",

"tags" => [

[0] "multiline"

],

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

[code]codec=>multiline  {

pattern => "^\["

negate => false

what => "previous"

}

[code]{

"@timestamp" => "2016-06-01T05:38:50.853Z",

"message" => "[16-04-12 03:40:01 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.\n[16-04-12 03:40:02 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

"@version" => "1",

"tags" => [

[0] "multiline"

],

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

{

"@timestamp" => "2016-06-01T05:38:50.856Z",

"message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null",

"@version" => "1",

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

{

"@timestamp" => "2016-06-01T05:38:50.858Z",

"message" => "order by product_category.ORDERS asc\n[16-04-12 03:40:03 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.\n[16-04-12 03:40:04 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.\n[16-04-12 03:40:05 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

"@version" => "1",

"tags" => [

[0] "multiline"

],

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

{

"@timestamp" => "2016-06-01T05:38:50.860Z",

"message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null",

"@version" => "1",

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

{

"@timestamp" => "2016-06-01T05:38:50.861Z",

"message" => "order by product_category.ORDERS desc\n[16-04-12 03:40:06 DEBUG] impl.JdbcEntityInserter:- from product_category product_category",

"@version" => "1",

"tags" => [

[0] "multiline"

],

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

{

"@timestamp" => "2016-06-01T05:38:50.863Z",

"message" => "where product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null",

"@version" => "1",

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog"

}

把多行日志解析到字段

[code]input {

file{

path=>"/usr/local/elk/logstash/logs/c.out"

type=>"runtimelog"

codec=>multiline  {

pattern => "^\["

negate => true

what => "previous"

}

start_position=>"beginning"

sincedb_path=>"/usr/local/elk/logstash/sincedb-access"

ignore_older=>0

}

}

filter {

grok {

match=>["message","\[%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level}\] %{GREEDYDATA:msg}"]

}

}

output{

stdout{

codec=>rubydebug

}

}

[code]{

"@timestamp" => "2016-06-01T06:33:26.426Z",

"message" => "[16-04-12 03:40:01 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

"@version" => "1",

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog",

"timestamp" => "16-04-12 03:40:01",

"level" => "DEBUG",

"msg" => "model.MappingNode:- ['/store/shopclass'] matched over."

}

{

"@timestamp" => "2016-06-01T06:33:26.485Z",

"message" => "[16-04-12 03:40:02 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc",

"@version" => "1",

"tags" => [

[0] "multiline"

],

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog",

"timestamp" => "16-04-12 03:40:02",

"level" => "DEBUG",

"msg" => "impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc"

}

{

"@timestamp" => "2016-06-01T06:33:26.491Z",

"message" => "[16-04-12 03:40:03 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

"@version" => "1",

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog",

"timestamp" => "16-04-12 03:40:03",

"level" => "DEBUG",

"msg" => "model.MappingNode:- ['/store/shopclass'] matched over."

}

{

"@timestamp" => "2016-06-01T06:33:26.492Z",

"message" => "[16-04-12 03:40:04 DEBUG] model.MappingNode:- ['/store/shopclass'] matched over.",

"@version" => "1",

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog",

"timestamp" => "16-04-12 03:40:04",

"level" => "DEBUG",

"msg" => "model.MappingNode:- ['/store/shopclass'] matched over."

}

{

"@timestamp" => "2016-06-01T06:33:26.494Z",

"message" => "[16-04-12 03:40:05 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS desc",

"@version" => "1",

"tags" => [

[0] "multiline"

],

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog",

"timestamp" => "16-04-12 03:40:05",

"level" => "DEBUG",

"msg" => "impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS desc"

}

{

"@timestamp" => "2016-06-01T06:33:26.495Z",

"message" => "[16-04-12 03:40:06 DEBUG] impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc",

"@version" => "1",

"tags" => [

[0] "multiline"

],

"path" => "/usr/local/elk/logstash/logs/c.out",

"host" => "vcyber",

"type" => "runtimelog",

"timestamp" => "16-04-12 03:40:06",

"level" => "DEBUG",

"msg" => "impl.JdbcEntityInserter:- from product_category product_category\nwhere product_category.PARENT_ID is null and product_category.STATUS = ? and product_category.DEALER_ID is null\norder by product_category.ORDERS asc"

}

参考资料