java日志格式需要多行匹配,在filebeat配置文件中添加:
### Multiline options
# Mutiline can be used for log messages spanning multiple lines. This is common
# for Java Stack Traces or C-Line Continuation
# The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
multiline.pattern: ^\[
# Defines if the pattern set under pattern should be negated or not. Default is false.
multiline.negate: true
# Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
# that was (not) matched before or after or as long as a pattern is not matched based on negate.
# Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
multiline.match: after
上面配置的意思是:不以[开头的行都合并到上一行的末尾
pattern:正则表达式
negate:true 或 false;默认是false,匹配pattern的行合并到上一行;true,不匹配pattern的行合并到上一行
match:after 或 before,合并到上一行的末尾或开头
filebeat.prospectors:
-
input_type: log
paths:
- /home/work/workspace/ws/risk_rebuild/log/*.log
multiline:
pattern: '^\d{4}\-\d{2}\-\d{2}'
negate: true
match: after
max_lines: 20
timeout: 5s
tail_files: false
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["172.16.102.102:9200","172.16.102.103:9200","172.16.102.104:9200"]
index: "risk_engine"