Logstash:提供整个文件并通过用换行符拆分来创建新事件
Logstash: Feed whole file and create a new event by splitting with newline character
我有以下用于从 kafka 读取类似系统日志的消息的 logstash 配置:
input {
kafka {
bootstrap_servers => "172.24.0.3:9092"
topics => ["test"]
}
}
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP}" }
}
}
output {
stdout { codec => rubydebug }
}
因此,当在 logstash 输入中发送系统日志行时,会在标准输出中生成以下消息:
来自卡夫卡
r = p1.send('test', b'Jul 16 09:07:47 ubuntu user: test500')
标准输出
{
"message" => "Jul 16 09:07:47 ubuntu user: test500",
"@version" => "1",
"@timestamp" => 2018-07-16T12:29:57.854Z,
"host" => "6d87dde4c74e"
}
现在,我想在每行末尾添加带有 \n 字符的多行,logstash 将输入处理为两条单独的消息,以便 logstash stdout 类似于以下示例:
同一条消息中来自 KAFKA 的多行
r = p1.send('test', b'Jul 16 09:07:47 ubuntu user: test501\nJul 16 09:07:47 ubuntu user: test502')
所需标准输出
{
"message" => "Jul 16 09:07:47 ubuntu user: test501",
"@version" => "1",
"@timestamp" => 2018-07-16T12:29:57.854Z,
"host" => "6d87dde4c74e"
}
{
"message" => "Jul 16 09:07:47 ubuntu user: test502",
"@version" => "1",
"@timestamp" => 2018-07-16T12:29:57.854Z,
"host" => "6d87dde4c74e"
}
关于如何在 logstash 上实现这种行为有什么想法吗?
我设法通过使用行编解码器实现了我上面描述的行为:
input {
kafka {
bootstrap_servers => "172.24.0.3:9092"
topics => ["test"]
## ## ## ## ##
codec => line
## ## ## ## ##
}
stdin {}
}
我有以下用于从 kafka 读取类似系统日志的消息的 logstash 配置:
input {
kafka {
bootstrap_servers => "172.24.0.3:9092"
topics => ["test"]
}
}
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP}" }
}
}
output {
stdout { codec => rubydebug }
}
因此,当在 logstash 输入中发送系统日志行时,会在标准输出中生成以下消息:
来自卡夫卡
r = p1.send('test', b'Jul 16 09:07:47 ubuntu user: test500')
标准输出
{
"message" => "Jul 16 09:07:47 ubuntu user: test500",
"@version" => "1",
"@timestamp" => 2018-07-16T12:29:57.854Z,
"host" => "6d87dde4c74e"
}
现在,我想在每行末尾添加带有 \n 字符的多行,logstash 将输入处理为两条单独的消息,以便 logstash stdout 类似于以下示例:
同一条消息中来自 KAFKA 的多行
r = p1.send('test', b'Jul 16 09:07:47 ubuntu user: test501\nJul 16 09:07:47 ubuntu user: test502')
所需标准输出
{
"message" => "Jul 16 09:07:47 ubuntu user: test501",
"@version" => "1",
"@timestamp" => 2018-07-16T12:29:57.854Z,
"host" => "6d87dde4c74e"
}
{
"message" => "Jul 16 09:07:47 ubuntu user: test502",
"@version" => "1",
"@timestamp" => 2018-07-16T12:29:57.854Z,
"host" => "6d87dde4c74e"
}
关于如何在 logstash 上实现这种行为有什么想法吗?
我设法通过使用行编解码器实现了我上面描述的行为:
input {
kafka {
bootstrap_servers => "172.24.0.3:9092"
topics => ["test"]
## ## ## ## ##
codec => line
## ## ## ## ##
}
stdin {}
}