Logstash:如何从较早的日志中保存一个条目，以便以后在日志中的多行中使用? [英] Logstash: How to save an entry from earlier in a log for use across multiple lines later in the log?

问题描述

所以我的日志格式看起来像这样

So the format of my logs looks somethings like this

02:00:30> First line of log for date of 2014-08-13
...
04:03:30> Every other line of log

我的问题是:如何从第一行保存日期以为文件中的其他行创建时间戳?

My question is: how can I save the date from the first line to create the timestamp for the other lines in the files?

是否可以设置某种全局"字段以供其他行重用?

Is there a way to set some kind of "global" field that I can reuse for other lines?

我正在查看历史日志，因此当前时间用处不大.

I'm looking at historical logs so the current time isn't much use.

推荐答案

我发布了一个memorize过滤器，您可以使用该过滤器.它被发布在此处.

I posted a memorize filter that you could use to do that. It was posted here.

您将像这样使用它:

filter {
   if [message] =~ /date of/ {
      grok {
        match => [ "message", "date of (?<date>\d\d\d\d-\d\d-\d\d)" ]
      }
   } else {
      // parse your log with grok or some other method that doesn't capture date
   }
   memorize {
       field => date
   }
}

因此，在第一行中，因为您提取了一个日期，所以它会记住它...由于它不在其余行中，因此会将已存储的日期添加到事件中.

So on the first line, because you extract a date, it'll memorize it... since it's not on the remaining lines, it'll add the memorized date to the events.

这篇关于Logstash:如何从较早的日志中保存一个条目，以便以后在日志中的多行中使用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！