如何从 logstash 过滤器中的多个日志行生成单个输出 json 对象?
How to generate single output json object from multiple log lines in logstash filter?
我是 Logstash 和 Grok 过滤器的新手。我想解析这样的日志 -
2018-01-11 17:17:16,071 | DEBUG | [Thread-2] | com.example.monitor.MonitorHelper:cpuMonitoring(307) | CommittedVirtualMemorySize :: 401186816
2018-01-11 17:17:16,071 | DEBUG | [Thread-2] | com.example.monitor.MonitorHelper:cpuMonitoring(307) | FreePhysicalMemorySize :: 1751130112
2018-01-11 17:17:16,072 | DEBUG | [Thread-2] | com.example.monitor.MonitorHelper:cpuMonitoring(307) | FreeSwapSpaceSize :: 4294967295
2018-01-11 17:17:16,694 | DEBUG | [Thread-2] | com.example.monitor.MonitorHelper:cpuMonitoring(307) | ProcessCpuLoad :: -1.0
2018-01-11 17:17:16,694 | DEBUG | [Thread-2] | com.example.monitor.MonitorHelper:cpuMonitoring(307) | ProcessCpuTime :: 47471104300
2018-01-11 17:17:16,698 | DEBUG | [Thread-2] | com.example.monitor.MonitorHelper:cpuMonitoring(307) | SystemCpuLoad :: 1.0
2018-01-11 17:17:16,698 | DEBUG | [Thread-2] | com.example.monitor.MonitorHelper:cpuMonitoring(307) | TotalPhysicalMemorySize :: 4285849600
2018-01-11 17:17:16,698 | DEBUG | [Thread-2] | com.example.monitor.MonitorHelper:cpuMonitoring(307) | TotalSwapSpaceSize :: 4294967295
像这样的 JSON 对象 -
{
"timestamp": "2018-01-11 17:17:16,071",
"log_level": "DEBUG",
"thread_name": "Thread-2",
"class": "com.example.monitor.MonitorHelper",
"method": "cpuMonitoring",
"line_number": "307",
"CommittedVirtualMemorySize": "401186816",
"FreePhysicalMemorySize": "1751130112",
"FreeSwapSpaceSize": "4294967295",
"ProcessCpuLoad": "-1.0",
"ProcessCpuTime": "47471104300",
"SystemCpuLoad": "1.0",
"TotalPhysicalMemorySize": "4285849600",
"TotalSwapSpaceSize": "4294967295"
}
截至目前,我的 grok 模式是 -
%{TIMESTAMP_ISO8601:timestamp} \| %{LOGLEVEL:log_level} \| [(?\b[\w-]+\b)] \| %{JAVAFILE:class}:%{JAVAMETHOD:method}(%{NUMBER:line_number}) \| %{GREEDYDATA:log_message}
它为每个输入日志行提供多个输出行。 JSON 对象看起来像这样-
{
"timestamp": "2018-01-11 17:17:16,071",
"log_level": "DEBUG",
"thread_name": "Thread-2",
"class": "com.example.monitor.MonitorHelper",
"method": "cpuMonitoring",
"line_number": "307",
"log_message": "CommittedVirtualMemorySize :: 401186816 "
}
你能帮我看看我需要寻找什么才能实现这一目标吗?
第一个建议是将原来的日志输出改成单行。
如果您不能,并且您正在使用 filebeat 发送文件,请使用 FB 的 multiline config 合并行,然后再将其发送到 logstash。
如果你没有使用filebeat,你可以尝试使用logstash中的multiline codec。
我是 Logstash 和 Grok 过滤器的新手。我想解析这样的日志 -
2018-01-11 17:17:16,071 | DEBUG | [Thread-2] | com.example.monitor.MonitorHelper:cpuMonitoring(307) | CommittedVirtualMemorySize :: 401186816
2018-01-11 17:17:16,071 | DEBUG | [Thread-2] | com.example.monitor.MonitorHelper:cpuMonitoring(307) | FreePhysicalMemorySize :: 1751130112
2018-01-11 17:17:16,072 | DEBUG | [Thread-2] | com.example.monitor.MonitorHelper:cpuMonitoring(307) | FreeSwapSpaceSize :: 4294967295
2018-01-11 17:17:16,694 | DEBUG | [Thread-2] | com.example.monitor.MonitorHelper:cpuMonitoring(307) | ProcessCpuLoad :: -1.0
2018-01-11 17:17:16,694 | DEBUG | [Thread-2] | com.example.monitor.MonitorHelper:cpuMonitoring(307) | ProcessCpuTime :: 47471104300
2018-01-11 17:17:16,698 | DEBUG | [Thread-2] | com.example.monitor.MonitorHelper:cpuMonitoring(307) | SystemCpuLoad :: 1.0
2018-01-11 17:17:16,698 | DEBUG | [Thread-2] | com.example.monitor.MonitorHelper:cpuMonitoring(307) | TotalPhysicalMemorySize :: 4285849600
2018-01-11 17:17:16,698 | DEBUG | [Thread-2] | com.example.monitor.MonitorHelper:cpuMonitoring(307) | TotalSwapSpaceSize :: 4294967295
像这样的 JSON 对象 -
{
"timestamp": "2018-01-11 17:17:16,071",
"log_level": "DEBUG",
"thread_name": "Thread-2",
"class": "com.example.monitor.MonitorHelper",
"method": "cpuMonitoring",
"line_number": "307",
"CommittedVirtualMemorySize": "401186816",
"FreePhysicalMemorySize": "1751130112",
"FreeSwapSpaceSize": "4294967295",
"ProcessCpuLoad": "-1.0",
"ProcessCpuTime": "47471104300",
"SystemCpuLoad": "1.0",
"TotalPhysicalMemorySize": "4285849600",
"TotalSwapSpaceSize": "4294967295"
}
截至目前,我的 grok 模式是 -
%{TIMESTAMP_ISO8601:timestamp} \| %{LOGLEVEL:log_level} \| [(?\b[\w-]+\b)] \| %{JAVAFILE:class}:%{JAVAMETHOD:method}(%{NUMBER:line_number}) \| %{GREEDYDATA:log_message}
它为每个输入日志行提供多个输出行。 JSON 对象看起来像这样-
{
"timestamp": "2018-01-11 17:17:16,071",
"log_level": "DEBUG",
"thread_name": "Thread-2",
"class": "com.example.monitor.MonitorHelper",
"method": "cpuMonitoring",
"line_number": "307",
"log_message": "CommittedVirtualMemorySize :: 401186816 "
}
你能帮我看看我需要寻找什么才能实现这一目标吗?
第一个建议是将原来的日志输出改成单行。
如果您不能,并且您正在使用 filebeat 发送文件,请使用 FB 的 multiline config 合并行,然后再将其发送到 logstash。
如果你没有使用filebeat,你可以尝试使用logstash中的multiline codec。