2.2.2 多行事件编码:
zjtest7-frontend:/usr/local/logstash-2.3.4/bin# ./plugin list | grep multi
Ignoring ffi-1.9.13 because its extensions are not built. Try: gem pristine ffi --version 1.9.13
logstash-codec-multiline
logstash-filter-multiline
zjtest7-frontend:/usr/local/logstash-2.3.4/config# cat multi.comf
input {
stdin {
codec =>multiline {
pattern =>"^["
negate=>true
what=>"previous"
}
}
}
output {
stdout {
codec=>rubydebug{}
}
}
/**********************
zjtest7-frontend:/usr/local/logstash-2.3.4/config# ../bin/logstash -f multi.comf
Settings: Default pipeline workers: 1
Pipeline main started
[Aug/25/08 12:12:12] hello world
此时为了 敲回车没反应,因为
并不匹配是设置的^[ 正则表达式,logstash 还得等下一行数据直到匹配成功后才会输出这个事件
zjtest7-frontend:/usr/local/logstash-2.3.4/config# ../bin/logstash -f multi.comf
Settings: Default pipeline workers: 1
Pipeline main started
[Aug/25/08 12:12:12] hello world
[Aug 9527]
{
"@timestamp" => "2016-08-25T06:29:31.182Z",
"message" => "[Aug/25/08 12:12:12] hello world",
"@version" => "1",
"host" => "0.0.0.0"
}
zjtest7-frontend:/usr/local/logstash-2.3.4/config# ../bin/logstash -f multi.comf
Settings: Default pipeline workers: 1
Pipeline main started
[Aug/08/08 14:54:03] hellow world
[Aug/08/09 14:54:04] hello logstash
{
"@timestamp" => "2016-08-25T06:33:14.623Z",
"message" => "[Aug/08/08 14:54:03] hellow world",
"@version" => "1",
"host" => "0.0.0.0"
}
hello best practice
hello raochelin
[Aug/09/10] the end
{
"@timestamp" => "2016-08-25T06:34:01.344Z",
"message" => "[Aug/08/09 14:54:04] hello logstash
hello best practice
hello raochelin",
"@version" => "1",
"tags" => [
[0] "multiline"
],
"host" => "0.0.0.0"
}
这个插件很简单,就是把当前行的数据添加到前面一行后面,直到新进的当前行匹配^[正则为止。