为什么Logstash多行不会根据grok'd字段合并行? [英] Why won't Logstash multiline merge lines based on grok'd field?
问题描述
val = abc
我试图让logstash multiline使用以下测试文件: 123 abc
test
,并为过滤器使用以下配置:
过滤器
{
如果[message] =〜val
{
match => ; [message,val =%{WORD:calc}
}
multiline
{
pattern => [calc]
what => next
}
}
输出显示如下(带其他字段被剥离):
message=> val = abc
calc=> abc
...
message=> 123 abc
上面让我知道grok是匹配的(因此calc字段)但我不知道为什么多行不合并第一行和第二行
你的意思是如果 calc 字段存在,第一行和第二行将合并到一个单词中?
如果是,以下答案可以帮助您。
您的多行模式不正确。
请参考这个配置:
input {
stdin {}
}
过滤器{
如果[message] =〜val
{
grok {
match => [message,val =%{WORD:calc}]
}
}
multiline
{
pattern => (val)
what => next
}
}
输出{
stdout {
codec => rubydebug
}
}
多行中的模式是当 message 字段有 val 字,你符合模式,它将多行与第二行合并。在您的示例中,您使用 [cal] ,这意味着当消息字段具有 cal 字,但是,消息字段中没有任何 cal 。
I'm trying to get logstash multiline to work with the following test file:
val=abc
123 abc
test
and using the following config for the filter:
filter
{
if [message] =~ "val"
{
match => ["message", "val=%{WORD:calc}"
}
multiline
{
pattern => [calc]
what => "next"
}
}
The output shows up as follows (with the other fields stripped):
"message" => "val=abc"
"calc" => "abc"
...
"message" => "123 abc"
The above lets me know that the grok is matching (hence the "calc" field) but I'm not sure why the multiline isn't merging the the first and 2nd line
Do you mean if the calc field exist, the first line and the second line will merge to a single envet?
If yes, the following answer can help you. Your multiline pattern is incorrect. Please refer to this config:
input {
stdin{}
}
filter {
if [message] =~ "val"
{
grok {
match => ["message", "val=%{WORD:calc}"]
}
}
multiline
{
pattern => "(val)"
what => "next"
}
}
output {
stdout {
codec => "rubydebug"
}
}
The pattern in multiline is when the message field has the val word, you meet the pattern and it will multiline merge with the second line. In your example you use [cal] that's means when the message field has the cal word, however, there is no any cal in the message field.
这篇关于为什么Logstash多行不会根据grok'd字段合并行?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
