小贝子编程

logstash grok 如何将任何不以时间戳开头的行合并到上一行



有时我打印到日志缩进漂亮的json,打印在多行。因此,我需要能够告诉logstash将这些打印结果附加到原始事件的原始行。

的例子:

xxx p:INFO d:2015-07-21 11:11:58,906 sourceThread:3iMind-Atlas-akka.actor.default-dispatcher-2 queryUserId: queryId: hrvJobId:6c1a4d60-e5e6-40d8-80aa-a4dc00e9f0c4 etlStreamId:70 etlOmdId: etlDocId: logger:tim.atlas.module.etl.mq.MQConnectorEtl msg:(st:Consuming) received NotifyMQ. sending to [openmind_exchange/job_ack] message:
{
  "JobId" : "6c1a4d60-e5e6-40d8-80aa-a4dc00e9f0c4",
  "Time" : "2015-07-21T11:11:58.904Z",
  "Errors" : [ ],
  "FeedItemSchemaCounts" : {
    "Document" : 1,
    "DocumentMetadata" : 1
  },
  "OtherSchemaCounts" : { }
}

由于我已经设置了一个特殊的log4j appender,仅作为logstash输入,因此该任务应该非常容易。我控制日志的布局,所以我可以添加任意多的前缀/后缀指示符。

我的appender是这样的:

log4j.appender.logstash-input.layout.ConversionPattern=xxx p:%p d:%d{yyyy-MM-dd HH:mm:ss,SSS}{UTC} sourceThread:%X{sourceThread} queryUserId:%X{userId} queryId:%X{queryId} hrvJobId:%X{hrvJobId} etlStreamId:%X{etlStreamId} etlOmdId:%X{etlOmdId} etlDocId:%X{etlDocId} logger:%c msg:%m%n

正如你所看到的,我给每条消息都加上了'xxx'前缀,所以我可以告诉logstash将任何不以'xxx'开头的行附加到前一行

下面是我的logstash配置:

if [type] == "om-svc-atlas" {
    grok {
        match => [ "message" , "(?m)p:%{LOGLEVEL:loglevel} d:%{TIMESTAMP_ISO8601:logdate} sourceThread:%{GREEDYDATA:sourceThread} queryUserId:%{GREEDYDATA:userId} queryId:%{GREEDYDATA:queryId} hrvJobId:%{GREEDYDATA:hrvJobId} etlStreamId:%{GREEDYDATA:etlStreamId} etlOmdId:%{GREEDYDATA:etlOmdId} etlDocId:%{GREEDYDATA:etlDocId} logger:%{GREEDYDATA:logger} msg:%{GREEDYDATA:msg}" ]
        add_tag => "om-svc-atlas"
    }
    date {
        match => [ "logdate" , "YYYY-MM-dd HH:mm:ss,SSS" ]
        timezone => "UTC"
    }
    multiline {
        pattern => "<please tell me what to put here to tell logstash to append any line which doesnt start with xxx to the previous line>"
        what => "previous"
    }
  }

确实很简单:

if [type] == "om-svc-atlas" {
    grok {
        match => [ "message" , "(?m)p:%{LOGLEVEL:loglevel} d:%{TIMESTAMP_ISO8601:logdate} sourceThread:%{GREEDYDATA:sourceThread} queryUserId:%{GREEDYDATA:userId} queryId:%{GREEDYDATA:queryId} hrvJobId:%{GREEDYDATA:hrvJobId} etlStreamId:%{GREEDYDATA:etlStreamId} etlOmdId:%{GREEDYDATA:etlOmdId} etlDocId:%{GREEDYDATA:etlDocId} logger:%{GREEDYDATA:logger} msg:%{GREEDYDATA:msg}" ]
        add_tag => "om-svc-atlas"
    }
    date {
        match => [ "logdate" , "YYYY-MM-dd HH:mm:ss,SSS" ]
        timezone => "UTC"
    }
    multiline {
        pattern => "^(?!xxx).+"
        what => "previous"
    }
  }

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium