背景:
[2014-03-02 17:34:20] - 127.0.0.1|ERROR| E:\xampp\htdocs\test.PHP|123|subject|The error message goes here ; array ( 'create' => array ( 'key1' => 'value1','key2' => 'value2','key3' => 'value3' ),) [2014-03-02 17:34:20] - 127.0.0.1|DEBUG| flush_multi_line
第二个条目[2014-03-02 17:34:20] – 127.0.0.1 | DEBUG | flush_multi_line是一个虚拟行,只是为了让logstash知道多行事件结束,这一行在后面被删除。
我的配置文件如下:
input {
stdin{}
}
filter{
multiline{
pattern => "^\["
what => "prevIoUs"
negate=> true
}
grok{
match => ['message',"\[.+\] - %{IP:ip}\|%{LOGLEVEL:loglevel}"]
}
if [loglevel] == "DEBUG"{ # the event flush line
drop{}
}else if [loglevel] == "ERROR" { # the first line of multievent
grok{
match => ['message',".+\|.+\| %{PATH:file}\|%{NUMBER:line}\|%{WORD:tag}\|%{GREEDYDATA:content}"]
}
}else{ # its a new line (from the multi line event)
mutate{
replace => ["content","%{content} %{message}"] # Supposing each new line will override the message field
}
}
}
output {
stdout{ debug=>true }
}
问题:
我的问题是我想将其余的多行存储到内容字段中:
The error message goes here ; array (
'create' =>
array (
'key1' => 'value1',)
所以我可以稍后删除消息字段。
@message字段包含整个多行事件,所以我尝试了mutate过滤器,替换功能就是这样,但我只是无法使其工作:(。
我不明白Multiline过滤器的工作方式,如果有人可以对此进行一些说明,那将是非常感激的。
谢谢,
阿卜杜
我浏览了源代码,发现:
>多行过滤器将取消被认为是待处理事件后续的所有事件,然后将该行附加到原始消息字段,这意味着在多行过滤器之后的任何过滤器将不适用于此情况
>唯一会通过过滤器的事件是被认为是新的过滤器(从我的例子开始的事情)
这是工作代码:
input {
stdin{}
}
filter{
if "|ERROR|" in [message]{ #if this is the 1st message in many lines message
grok{
match => ['message',"\[.+\] - %{IP:ip}\|%{LOGLEVEL:loglevel}\| %{PATH:file}\|%{NUMBER:line}\|%{WORD:tag}\|%{GREEDYDATA:content}"]
}
mutate {
replace => [ "message","%{content}" ] #replace the message field with the content field ( so it auto append later in it )
remove_field => ["content"] # we no longer need this field
}
}
multiline{ #Nothing will pass this filter unless it is a new event ( new [2014-03-02 1.... )
pattern => "^\["
what => "prevIoUs"
negate=> true
}
if "|DEBUG| flush_multi_line" in [message]{
drop{} # We don't need the dummy line so drop it
}
}
output {
stdout{ debug=>true }
}
干杯,
阿卜杜
