发表新帖
发表新帖

How to process multiline log entry with logstash filter?

后端 未结
关注
4 1440
终归单人心
终归单人心 2020-12-14 01:26

Background:

I have a custom generated log file that has the following pattern :

[2014-03-02 17:34:20] - 127.0.0.1|ERROR| E:\\xampp\\htdocs\\test.ph
4条回答
  • 半阙折子戏
    半阙折子戏 (楼主)
    2020-12-14 02:04

    The multiline filter will add the "\n" to the message. For example: 

    "[2014-03-02 17:34:20] - 127.0.0.1|ERROR| E:\\xampp\\htdocs\\test.php|123|subject|The error message goes here ; array (\n  'create' => \n  array (\n    'key1' => 'value1',\n    'key2' => 'value2',\n    'key3' => 'value3'\n  ),\n)"

    However, the grok filter can't parse the "\n". Therefore you need to substitute the \n to another character, says, blank space. 

    mutate {
    gsub => ['message', "\n", " "]
}

    Then, grok pattern can parse the message. For example:

     "content" => "The error message goes here ; array (   'create' =>    array (     'key1' => 'value1',     'key2' => 'value2',     'key3' => 'value3'   ), )"

    0 讨论(0)
 看不清?
提交回复
热议问题