logstash 的 配置文件

[root@10-19-148-59 etc]# cat test_front_console.conf
input {
    beats {
      type => beats
      port => 5077
    }
}
filter {
        if [type] == 'test-front' {
        multiline {
                pattern => ".*##.*"
                negate => true
                what => "previous"
        }
            grok {
        patterns_dir => "/data/package/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns"
                match => {"message"=>"%{DATA:date} %{LOGLEVEL:LEVEL} %{JAVACLASS:class} %{NOTSPACE:thread} %{NOTSPACE:requestId} %{MSG:msg}"}
        remove_field => ['@version']
        remove_field => ['message']
        remove_field => ['offset']
        remove_field => ['source']
        remove_field => ['input_type']
        remove_field => ['beat']
}
}
        if [type] == 'test-esb' {
        multiline {
                pattern => ".*##.*"
                negate => true
                what => "previous"
        }
        grok {
                remove_field => ['@version']
                remove_field => ['offset']
                remove_field => ['source']
                remove_field => ['input_type']
                remove_field => ['beat']
        }
}
}

output {
    if [type] == 'test-front' {
    elasticsearch {
       hosts => ["10.19.148.59:9200"]
           index => "test-front-%{+YYYY.MM.dd}"
    }
    stdout {
       codec => rubydebug
    }
}
        if [type] == 'test-esb' {
        elasticsearch {
           hosts => ["10.19.148.59:9200"]
           index => "test-esb-%{+YYYY.MM.dd}"
        }
}
}

添加下面一个正则表达式

[root@10-19-148-59 patterns]# cat msg 
MSG (.|\r|\n)*