[elk@node01 conf]$ cat t7.conf
input {
file {
type => "viewip"
path => ["/home/elk/conf/cccc.txt"]
start_position=>"beginning"
}
}
filter {
multiline {
pattern => "^[0-9]"
negate=>true
what=>"previous"
}
}
output {
elasticsearch {
hosts => "192.168.137.2:9200"
index => "logstash-viewip-%{+YYYY.MM.dd}"
}
stdout {
codec=>rubydebug{}
}
}
[elk@node01 conf]$ cat cccc.txt
1.1.1.1
aaaaaaa
bbbbbbb
2.2.2.2
ccccccc
ddddddd
3.3.3.3
eeeeeee
fffffff
4.4.4.4
ggggggg
hhhhhhh
5.5.5.5
iiiiiii
jjjjjjj
kkkkkkk
[elk@node01 conf]$ logstash -f t7.conf
Settings: Default pipeline workers: 4
Defaulting pipeline worker threads to 1 because there are some filters that might not work with multiple worker threads {:count_was=>4, :filters=>["multiline"], :level=>:warn}
Pipeline main started
{
"message" => "1.1.1.1
aaaaaaa
bbbbbbb",
"@version" => "1",
"@timestamp" => "2018-07-31T02:31:33.540Z",
"path" => "/home/elk/conf/cccc.txt",
"host" => "node01",
"type" => "viewip",
"tags" => [
[0] "multiline"
]
}
{
"message" => "2.2.2.2
ccccccc
ddddddd",
"@version" => "1",
"@timestamp" => "2018-07-31T02:31:35.294Z",
"path" => "/home/elk/conf/cccc.txt",
"host" => "node01",
"type" => "viewip",
"tags" => [
[0] "multiline"
]
}
{
"message" => "3.3.3.3
eeeeeee
fffffff",
"@version" => "1",
"@timestamp" => "2018-07-31T02:31:35.296Z",
"path" => "/home/elk/conf/cccc.txt",
"host" => "node01",
"type" => "viewip",
"tags" => [
[0] "multiline"
]
}
{
"message" => "4.4.4.4
ggggggg
hhhhhhh",
"@version" => "1",
"@timestamp" => "2018-07-31T02:31:35.309Z",
"path" => "/home/elk/conf/cccc.txt",
"host" => "node01",
"type" => "viewip",
"tags" => [
[0] "multiline"
]
}
{
"message" => "5.5.5.5
iiiiiii
jjjjjjj
kkkkkkk
",
"@version" => "1",
"@timestamp" => "2018-07-31T02:31:35.319Z",
"path" => "/home/elk/conf/cccc.txt",
"host" => "node01",
"type" => "viewip",
"tags" => [
[0] "multiline"
]
}