Input——Manage multiline messages
The files harvested by Filebeat may contain messages that span multiple lines of text. For example, multiline messages are common in files that contain Java stack traces. In order to correctly handle these multiline events, you need to configuremultilinesettings in thefilebeat.ymlfile to specify which lines are part of a single event.
Filebeat 收集的文件可能包含跨越多行文本的消息。例如,在包含 Java 堆栈跟踪的文件中,多行消息是很常见的。要正确处理这些多行事件,您需要在 `filebeat.yml` 文件中配置多行设置,以指定哪些行属于单个事件。
You can specify the following options in thefilebeat.inputssection of thefilebeat.ymlconfig file to control how Filebeat deals with messages that span multiple lines.
可以在 Filebeat.yml 配置文件的 Filebeat.input 部分中指定以下选项,以控制 Filebeat 如何处理跨多行的消息。
The following example shows how to configurefilestreaminput in Filebeat to handle a multiline message where the first line of the message begins with a bracket ([).
下面的示例演示如何在 Filebeat 配置 filestream 输入,以处理消息的第一行以括号([)开头的多行消息。
Please note that the example below only works withfilestreaminput, and not withloginput.
请注意,下面的示例只适用于文件流输入,而不适用于日志输入。
parsers:
- multiline:
type: pattern
pattern: '^\['
negate: true
match: after
If you still use the deprecatedloginput, there is no need to useparsers.
如果您仍在使用弃用的日志输入方式,就不需要使用解析器。
multiline.type: pattern multiline.pattern: '^\[' multiline.negate: true multiline.match: after
Filebeat takes all the lines that do not start with[and combines them with the previous line that does. For example, you could use this configuration to join the following lines of a multiline message into a single event:
[开头的行与前一行合并在一起。例如,您可以使用此配置将多行消息的以下行合并为一个事件:
[beat-logstash-some-name-832-2015.11.28] IndexNotFoundException[no such index]
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver$WildcardExpressionResolver.resolve(IndexNameExpressionResolver.java:566)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:133)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:77)
at org.elasticsearch.action.admin.indices.delete.TransportDeleteIndexAction.checkBlock(TransportDeleteIndexAction.java:75)
标签:多行,Filebeat,Configure,lines,Manage,messages,filebeat,multiline,IndexNameExpressi From: https://www.cnblogs.com/zuoyang/p/17349471.html