我有一个日志文件,如下所述。我想使用 logstash 解析此文件。
2015-06-10 05:11:37,799 [good][status] [ErrorAttribute - AN EXCEPTION OCCURED:
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
]2015-06-10 05:36:35,517 [50][ERROR] [ErrorAttribute - AN EXCEPTION OCCURED:
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
]
我想像以下字段格式一样解析上面的文件
@timestamp - 2015-06-10 05:11:37,799
Quality - good
Status- Pass
Details - ErrorAttribute - AN EXCEPTION OCCURED:
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
我想继续此步骤,直到我使用了 grok 表达式 grokparse 失败的文件末尾,因为日志信息包含许多行。我希望格罗克能逐行申请.
我想将信息解析为单独的事件,例如作为一个事件
2015-06-10 05:11:37,799 [50][ERROR] [ErrorAttribute - AN EXCEPTION OCCURED:
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
]
这是另一个事件
2015-06-10 05:36:35,517 [50][ERROR] [ErrorAttribute - AN EXCEPTION OCCURED:
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
]
如何在日志过滤器中实现这一点。
您需要使用多行编解码器或筛选器将这些行合并到一个事件中进行处理。
我使用多行过滤器将消息分组为单个事件,通过使用拆分过滤器,我拆分为许多事件并解析了 Logstash 中的信息。
谢谢@Alain你的建议。