filebeat Configure 篇章—Input—Manage multiline messages

Input——Manage multiline messages

  The files harvested by Filebeat may contain messages that span multiple lines of text. For example, multiline messages are common in files that contain Java stack traces. In order to correctly handle these multiline events, you need to configuremultilinesettings in thefilebeat.ymlfile to specify which lines are part of a single event.

  Filebeat 收集的文件可能包含跨越多行文本的消息。例如，在包含 Java 堆栈跟踪的文件中，多行消息是很常见的。要正确处理这些多行事件，您需要在 `filebeat.yml` 文件中配置多行设置，以指定哪些行属于单个事件。

  You can specify the following options in thefilebeat.inputssection of thefilebeat.ymlconfig file to control how Filebeat deals with messages that span multiple lines.

  可以在 Filebeat.yml 配置文件的 Filebeat.input 部分中指定以下选项，以控制 Filebeat 如何处理跨多行的消息。

  The following example shows how to configurefilestreaminput in Filebeat to handle a multiline message where the first line of the message begins with a bracket ([).

  下面的示例演示如何在 Filebeat 配置 filestream 输入，以处理消息的第一行以括号([)开头的多行消息。

  Please note that the example below only works withfilestreaminput, and not withloginput.

  请注意，下面的示例只适用于文件流输入，而不适用于日志输入。

parsers:
- multiline:
    type: pattern
    pattern: '^\['
    negate: true
    match: after

If you still use the deprecatedloginput, there is no need to useparsers.

如果您仍在使用弃用的日志输入方式，就不需要使用解析器。

multiline.type: pattern
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after

  Filebeat takes all the lines that do not start with[and combines them with the previous line that does. For example, you could use this configuration to join the following lines of a multiline message into a single event:

  Filebeat 会将所有不以[开头的行与前一行合并在一起。例如，您可以使用此配置将多行消息的以下行合并为一个事件：

[beat-logstash-some-name-832-2015.11.28] IndexNotFoundException[no such index]
    at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver$WildcardExpressionResolver.resolve(IndexNameExpressionResolver.java:566)
    at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:133)
    at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:77)
    at org.elasticsearch.action.admin.indices.delete.TransportDeleteIndexAction.checkBlock(TransportDeleteIndexAction.java:75)

multiline.type

  Defines which aggregation method to use. The default is pattern. The other options are count which lets you aggregate constant number of lines and while_pattern which aggregate lines by pattern without match option.

  定义要使用的聚合方法。默认为模式（pattern）。其他选项是计数（count），它允许您聚合恒定数量的行，以及while_pattern，它通过模式聚合行而不使用匹配选项。

multiline.pattern

  Specifies the regular expression pattern to match. Note that the regexp patterns supported by Filebeat differ somewhat from the patterns supported by Logstash. See Regular expression support for a list of supported regexp patterns. Depending on how you configure other multiline options, lines that match the specified regular expression are considered either continuations of a previous line or the start of a new multiline event. You can set the negate option to negate the pattern.

multiline.negate

  Defines whether the pattern is negated. The default is false.

multiline.match

  Specifies how Filebeat combines matching lines into an event. The settings are after or before. The behavior of these settings depends on what you specify for negate: