我是logstash的新手,有人可以在grok过滤器上帮助我解析同一日志中多个换行符的数据吗
2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0:0-8443-exec-424] 信息 Rq:144839 控制器拦截器 - 完成后(( url: GET::/system/data/connect/service 响应: 200 已用:10 ms
- 1.使用格罗克
http://grokdebug.herokuapp.com/
[第一个输入框]输入
2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0-8443-exec-424] INFO Rq:144839 ControllerInterceptor - afterCompletion()
response: 200
elapsed: 10 ms
[第二个输入框]格罗克解析 ==>%{UPTONEWLINE:Part1}%{UPTONEWLINE:Part2}
选中添加自定义模式并添加以下行 UPTONEWLINE (?:(.+?((((
输出
{
"Part1": [
[
"2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0-8443-exec-424] INFO Rq:144839 ControllerInterceptor - afterCompletion()n"
]
],
"Part2": [
[
"response: 200n"
]
]
}
- 2.不使用 Grok 过滤器 - 日志配置文件
输入
2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0-8443-exec-424] INFO Rq:144839 ControllerInterceptor - afterCompletion()nresponse: 200nelapsed: 10 ms
日志存储配置文件
input {
http {
port => 5043
response_headers => {
"Access-Control-Allow-Origin" => "*"
"Content-Type" => "text/plain"
"Access-Control-Allow-Headers" => "Origin, X-Requested-With, Content-Type,
Accept"
}
}
}
filter {
mutate {
split => ['message','n']
add_field => {
"Part1" => "%{[message][0]}"
"Part2" => "%{[message][1]}"
"Part3" => "%{[message][2]}"
}
}
}
output {
stdout {
codec => rubydebug
}
}
输出
{
"host"=>"0:0:0:0:0:0:0:1",
"@version"=>"1",
"message"=>[
[0]"2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0-8443-exe c-424] INFO Rq:144839 ControllerInterceptor - afterCompletion()",
[1]"response: 200",
[2]"elapsed: 10 ms"
],
"Part1"=>"2018-10-08 13:38:34,280 [https-openssl-apr-0:0:0:0:0:0:0:0-8443-exec-424] INFO Rq:144839 ControllerInterceptor - afterCompletion()",
"Part2"=>"response: 200",
"Part3"=>"elapsed: 10 ms",
"@timestamp"=>2018-10-09T05: 27: 41.695Z
}