我有以下logstash配置,用于从kafka读取类似syslog的消息:
input {
kafka {
bootstrap_servers => "172.24.0.3:9092"
topics => ["test"]
}
}
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP}" }
}
}
output {
stdout { codec => rubydebug }
}
因此,当在logstash输入处发送syslog行时,会在stdout处生成以下消息:
来自KAFKA
r = p1.send('test', b'Jul 16 09:07:47 ubuntu user: test500')
标准输出
{
"message" => "Jul 16 09:07:47 ubuntu user: test500",
"@version" => "1",
"@timestamp" => 2018-07-16T12:29:57.854Z,
"host" => "6d87dde4c74e"
}
现在,我想在每行的末尾添加多行n字符,并且logstash将输入作为两个单独的消息进行处理,这样logstash stdout就类似于下面的示例:
同一消息中来自KAFKA的多行
r = p1.send('test', b'Jul 16 09:07:47 ubuntu user: test501nJul 16 09:07:47 ubuntu user: test502')
所需STDOUT
{
"message" => "Jul 16 09:07:47 ubuntu user: test501",
"@version" => "1",
"@timestamp" => 2018-07-16T12:29:57.854Z,
"host" => "6d87dde4c74e"
}
{
"message" => "Jul 16 09:07:47 ubuntu user: test502",
"@version" => "1",
"@timestamp" => 2018-07-16T12:29:57.854Z,
"host" => "6d87dde4c74e"
}
你知道如何在logstash上实现这种行为吗?
我通过使用线路编解码器实现了上述行为
input {
kafka {
bootstrap_servers => "172.24.0.3:9092"
topics => ["test"]
## ## ## ## ##
codec => line
## ## ## ## ##
}
stdin {}
}