• logstash收集java日志,多行合并成一行


    使用codec的multiline插件实现多行匹配,这是一个可以将多行进行合并的插件,而且可以使用what指定将匹配到的行与前面的行合并还是和后面的行合并。
    1.java日志收集测试

    input {
    	stdin {
    		codec => multiline {
    			pattern => "^["						//以"["开头进行正则匹配
    			negate => true 							//正则匹配成功
    			what => "previous"						//和前面的内容进行合并
    		}
    	}
    }
    output {
    	stdout {
    		codec => rubydebug 
    	}
    }
    

    2.查看elasticsearch日志,已"["开头

    # cat /var/log/elasticsearch/cluster.log 
    [2018-05-29T08:00:03,068][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [systemlog-2018.05.29] creating index, cause [auto(bulk api)], templates [], shards [5]/[1], mappings []
    [2018-05-29T08:00:03,192][INFO ][o.e.c.m.MetaDataMappingService] [node-1] [systemlog-2018.05.29/DCO-zNOHQL2sgE4lS_Se7g] create_mapping [system]
    [2018-05-29T11:29:31,145][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [securelog-2018.05.29] creating index, cause [auto(bulk api)], templates [], shards [5]/[1], mappings []
    [2018-05-29T11:29:31,225][INFO ][o.e.c.m.MetaDataMappingService] [node-1] [securelog-2018.05.29/ABd4qrCATYq3YLYUqXe3uA] create_mapping [secure]
    

    3.配置logstash

    #vim /etc/logstash/conf.d/java.conf
    input {
            file {
                    path => "/var/log/elasticsearch/cluster.log"
                    type => "elk-java-log"
                    start_position => "beginning"
                    stat_interval => "2"
                    codec => multiline {
                            pattern => "^["
                            negate => true
                            what => "previous"
                    }
            }
    }
    output {
            if [type] == "elk-java-log" {
                    elasticsearch {
                            hosts => ["192.168.1.31:9200"]
                            index => "elk-java-log-%{+YYYY.MM.dd}"
                    }
            }
    }
    

    4.启动

    logstash -f /etc/logstash/conf.d/java.conf -t
    systemctl restart logstash 
    

    5.head插件查看

    6.kibana添加日志

  • 相关阅读:
    hadoop目录命令
    spark简单文件配置
    git简单使用
    1
    环境
    spring boot入门学习---热部署
    浅谈-对modbus的理解
    springboot集成调用Azkaban
    搭建自己的maven私服 必过
    Spring Boot 出现 in a frame because it set 'X-Frame-Options' to 'DENY'
  • 原文地址:https://www.cnblogs.com/lovelinux199075/p/9104389.html
Copyright © 2020-2023  润新知