[elk@node01 conf]$ cat ffff.txt
1.1.1.1 11111
aaaaaaa
bbbbbbb
2.2.2.2 222222
ccccccc
ddddddd
3.3.3.3 3333333
eeeeeee
fffffff
4.4.4.4 4444444
ggggggg
hhhhhhh
5.5.5.5 5555555
iiiiiii
jjjjjjj
kkkkkkk
[elk@node01 conf]$ cat t7.conf
input {
file {
type => "viewip"
path => ["/home/elk/conf/ffff.txt"]
start_position=>"beginning"
}
}
filter {
multiline {
pattern => "^%{IP}"
negate=>true
what=>"previous"
}
}
output {
elasticsearch {
hosts => "192.168.137.2:9200"
index => "logstash-viewip-%{+YYYY.MM.dd}"
}
stdout {
codec=>rubydebug{}
}
}
[elk@node01 conf]$ logstash -f t7.conf
Settings: Default pipeline workers: 4
Defaulting pipeline worker threads to 1 because there are some filters that might not work with multiple worker threads {:count_was=>4, :filters=>["multiline"], :level=>:warn}
Pipeline main started
{
"message" => "1.1.1.1 11111
aaaaaaa
bbbbbbb",
"@version" => "1",
"@timestamp" => "2018-07-31T03:07:29.776Z",
"path" => "/home/elk/conf/ffff.txt",
"host" => "node01",
"type" => "viewip",
"tags" => [
[0] "multiline"
]
}
{
"message" => "2.2.2.2 222222
ccccccc
ddddddd",
"@version" => "1",
"@timestamp" => "2018-07-31T03:07:30.881Z",
"path" => "/home/elk/conf/ffff.txt",
"host" => "node01",
"type" => "viewip",
"tags" => [
[0] "multiline"
]
}
{
"message" => "3.3.3.3 3333333
eeeeeee
fffffff",
"@version" => "1",
"@timestamp" => "2018-07-31T03:07:30.883Z",
"path" => "/home/elk/conf/ffff.txt",
"host" => "node01",
"type" => "viewip",
"tags" => [
[0] "multiline"
]
}
{
"message" => "4.4.4.4 4444444
ggggggg
hhhhhhh",
"@version" => "1",
"@timestamp" => "2018-07-31T03:07:30.885Z",
"path" => "/home/elk/conf/ffff.txt",
"host" => "node01",
"type" => "viewip",
"tags" => [
[0] "multiline"
]
}