我有一个像这样的 logstash 配置:
input {
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/path/to/mycert"
ssl_key => "/path/to/mykey"
}
}
filter {
if [type] == "logs" {
if [message] =~ /^\d\d\d\d/ {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:other_field} %{GREEDYDATA:content}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
}
multiline {
pattern => "^\d\d\d\d"
what => "previous"
negate => true
}
}
}
output {
elasticsearch { host => localhost }
}
以下是一个示例日志:
2015-04-09T04:56:37.548Z OtherField Send message:
Keepalive {
Type: keepalive
key: ABCDE
time Thu Apr 09 00:56:37 EDT 2015
}
内容字段以字符串“发送消息:\n”结尾,没有其他内容。我们希望内容字段扩展并包含:“发送消息:\nKeepalive {\n 类型:keepalive\n 键:ABCDE\n 时间 Thu Apr 09 00:56:37 EDT 2015\n}”
我曾尝试使用add_field,但我甚至无法说服它添加一个简单的字段(即"multilinemsg", "true"),更不用说扩展内容字段了。
任何帮助,将不胜感激!