时间戳

首页 > 解决方案 > Logstash:多行日志消息转换为单行日志消息

elasticsearch - Logstash:多行日志消息转换为单行日志消息

问题描述

我在日志消息下方打印

{"timestamp":"15-06-2020 22:12:35","level":"INFO","thread":"http-nio-8080-exec-2","mdc":{"Z-Request-Id":"20200615101234-2c078173-66c2-49ce-93ec-40dfab2a7312","destination":"backendorg"},"logger":"com.AbcHandler","message":"host: localhost, port: 9200, index: zindex and protocol: http","context":"ZPlatform"}
{"timestamp":"15-06-2020 22:12:35","level":"INFO","thread":"http-nio-8080-exec-2","mdc":{"Z-Request-Id":"20200615101234-2c078173-66c2-49ce-93ec-40dfab2a7312","destination":"backendorg"},"logger":"com.AbcHandler","message":"batchNumber: 1 and batchSize: 50","context":"ZPlatform"}

使用多行编解码器解析上述消息,下面是我的 logstash 配置文件

input {
     file {
           start_position => "end"
           sincedb_path => "/tmp/sincedb_file"
           codec => multiline {
           pattern => "^Spalanzani"
           negate => true
           what => previous

           }
     }
}
filter {
        if [type] == "app" {
            grok {
              match => [ "message","%{GREEDYDATA:jsonstring}"]
            }
            json {
              source => "jsonstring"
              target => "parsedJson"
              remove_field=>["jsonstring"]
              }
          mutate {
              add_field => {
             "frontendDateTime" => "%{[parsedJson][timestamp]}"
             "logMessage" => "%{[parsedJson][message]}"
             }
           }
          mutate {
            remove_field => [ "parsedJson" ]
          }

        }
  }

但是我所看到的所有上述消息都被合并在一起了。不知道为什么会这样。它应该向我显示不同的日志消息

{
                "tags" => [
        [0] "multiline"
    ],

             "message" => "{\"timestamp\":\"15-06-2020 22:12:35\",\"level\":\"INFO\",\"thread\":\"http-nio-8080-exec-2\",\"mdc\":{\"Z-Request-Id\":\"20200615101234-2c078173-66c2-49ce-93ec-40dfab2a7312\",\"destination\":\"backendorg\"},\"logger\":\"com.AbcHandler\",\"message\":\"host: localhost, port: 9200, index: zindex and protocol: http\",\"context\":\"ZPlatform\"}\n{\"timestamp\":\"15-06-2020 22:12:35\",\"level\":\"INFO\",\"thread\":\"http-nio-8080-exec-2\",\"mdc\":{\"Z-Request-Id\":\"20200615101234-2c078173-66c2-49ce-93ec-40dfab2a7312\",\"destination\":\"backendorg\"},\"logger\":\"com.AbcHandler\",\"message\":\"batchNumber: 1 and batchSize: 50\",\"context\":\"ZPlatform\"}",
          "logMessage" => "search string: ",
          "@timestamp" => 2020-06-15T16:42:38.256Z
}

有人可以帮助我吗?

标签: elasticsearchlogstash

解决方案

推荐阅读