1.Java 堆栈跟踪
Java 堆栈跟踪由多行组成,初始行后的每一行都以空格开头,如以下示例所示:
Exception in thread "main" java.lang.NullPointerException
at com.example.myproject.Book.getTitle(Book.java:16)
at com.example.myproject.Author.getBookTitles(Author.java:25)
at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
filebeat中将这些行合并未单个事件
multiline.pattern: '^[[:space:]]'
multiline.negate: false
multiline.match: after
复杂示例
Exception in thread "main" java.lang.IllegalStateException: A book has a null property
at com.example.myproject.Author.getBookIds(Author.java:38)
at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
Caused by: java.lang.NullPointerException
at com.example.myproject.Book.getId(Book.java:22)
at com.example.myproject.Author.getBookIds(Author.java:35)
... 1 more
filebeat合并:
multiline.pattern: '^[[:space:]]+(at|\.{3})\b|^Caused by:'
multiline.negate: false
multiline.match: after
2.行延续
printf ("%10.10ld \t %10.10ld \t %s\
%f", w, x, y, z );
合并配置:
multiline.pattern: '\\$'
multiline.negate: false
multiline.match: before
3.时间戳
[2015-08-24 11:49:14,389][INFO ][env ] [Letha] using [1] data paths, mounts [[/
(/dev/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs]
合并配置:
multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
4.应用事件
[2015-08-24 11:49:14,389] Start new event
[2015-08-24 11:49:14,395] Content of processing something
[2015-08-24 11:49:14,399] End event
合并配置:
multiline.pattern: 'Start new event'
multiline.negate: true
multiline.match: after
multiline.flush_pattern: 'End event'
5.实际常使用配置
json格式日志:
multiline.pattern: '^\{'
multiline.negate: true
multiline.match: after
text:
multiline.pattern: '^2'
multiline.negate: true
multiline.match: after
配置解说:
multiline.negate: true multiline.match: after 与模式不匹配的连续行将追加到匹配的前一行 其他参考:管理多行消息|文件节拍参考 [7.1] |弹性的 (elastic.co)
multiline.flush_pattern 指定一个正则表达式,在该表达式中,将从内存中刷新当前多行,从而结束多行消息。
参考官网:多行配置|示例文件节拍参考 [7.1] |弹性的 (elastic.co)
