问题
I've searched SO and of course the searchengine of choice but found no valid solution.
I try to parse a multiline logfile with logstash without any success.
The logfile looks like:
appl.log
2014-02-31 11:06:55,268 - WARN main com.applicationname.commons.shop.OrderDetails
java.lang.NullPointerException
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
2014-02-31 11:06:55,268 - WARN main com.applicationname.commons.shop.OrderDetails
java.lang.NullPointerException
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
at sometexthere sometexthere
AFAIK the lines a starting with "\t...at "
My current (non working version) conf for logstash looks like:
logstash.conf
input =>
input {
file {
path => "/var/log/appl.log"
type => "appl"
codec => multiline {
negate => true
pattern => "^\s"
what => "previous"
}
}
}
filter =>
filter {
if [type] == "appl" {
grok {
add_tag => [ "groked" ]
match => ["message", ".*"]
remove_tag => ["_grokparsefailure"]
}
}
}
Any lead into the right direction for a working multiline filter is welcome.
回答1:
Try this :
input =>
input {
file {
path => "/var/log/appl.log"
type => "appl"
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601} "
negate => true
what => "previous"
}
}
}
filter =>
filter {
if [type] == "appl" {
grok {
add_tag => [ "groked" ]
match => ["message", ".*"]
remove_tag => ["_grokparsefailure"]
}
}
}
来源:https://stackoverflow.com/questions/24552512/multiline-pattern-for-logstash