时间戳

首页 > 解决方案 > Logstash:无法从指标中过滤行

logstash - Logstash:无法从指标中过滤行

问题描述


我需要从 URL 收集指标。指标的格式是这样的:

# HELP base:classloader_total_loaded_class_count Displays the total number of classes that have been loaded since the Java virtual machine has started execution.
# TYPE base:classloader_total_loaded_class_count counter
base:classloader_total_loaded_class_count 23003.0

我需要从收集的事件中排除所有以“#”字符开头的行。所以我安排了以下配置文件:

input {


  http_poller {
    urls => {
      pool_metrics => {
        method => "get"
        url => "http://localhost:10090/metrics"
        headers => {
          "Content-Type" => "text/plain"
        }
      }

}
request_timeout => 30
schedule => { cron => "* * * * * UTC"}
codec => multiline  {
pattern => "^#"
negate => "true"
what => previous
}
type => "server_metrics"
  }
}


output {
  elasticsearch {

    # An index is created for each type of metrics inpout
    index => "logstash-%{type}" 
  }

}

不幸的是,当我通过弹性搜索检查收集的数据时,我发现这并不是我所期望的。例如:

 {
        "_index" : "logstash-server_metrics",
        "_type" : "doc",
        "_id" : "2egAvWcBwbQ9kTetvX2o",
        "_score" : 1.0,
        "_source" : {
          "type" : "server_metrics",
          "tags" : [
            "multiline"
          ],
          "message" : "# TYPE base:gc_ps_scavenge_count counter\nbase:gc_ps_scavenge_count 24.0",
          "@version" : "1",
          "@timestamp" : "2018-12-17T16:30:01.009Z"
        }
      },

因此,带有“#”的行似乎没有被跳过,而是附加到指标的下一行。你能推荐任何修复它的方法吗?

标签: logstashlogstash-configuration

解决方案

行编解码器不能以这种方式工作。^#它将事件合并为一个事件,并附加与您观察到的不匹配的行。

我认为不可能使用编解码器丢弃消息,您必须改用丢弃过滤器

首先从您的输入配置中删除编解码器,然后将此过滤器部分添加到您的配置中:

filter {
  if [message] =~ "^#" {
    drop {}
  }
}

使用条件,如果消息匹配^#,事件将被丢弃过滤器丢弃,如你所愿。

推荐阅读