多行日志
多行日志
背景: java程序一条日志常常会打印多行,在使用filebeat 收集日志时一条日志会分割成多个,不利于问题排查。
[beat-logstash-some-name-832-2015.11.28] IndexNotFoundException[no such index]
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver$WildcardExpressionResolver.resolve(IndexNameExpressionResolver.java:566)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:133)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:77)
at org.elasticsearch.action.admin.indices.delete.TransportDeleteIndexAction.checkBlock(TransportDeleteIndexAction.java:75)
multiline
当input 类型为filestream 时书写语法:
filebeat.inputs:
- type: filestream
parsers:
- multiline:
type: pattern
pattern: '^\['
negate: true
match: after
当input 类型为log 时书写语法:
filebeat.inputs:
- type: log
multiline.type: pattern
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
参数介绍:
multiline.type定义多行聚合的方式。可选值:patterncount,count 用于指定多少行聚合为一行。multiline.pattern定义模式匹配的正则表达式multiline.negate是否为否定模式,即对multiline.pattern匹配到的内容是使用黑名单还是白名单。默认falsemultiline.match指定匹配到的内容是如何尽心拼接。可选值:afterbeforenegate
