我想问一下关于 fluentd 的问题。
我的 fluentd 版本如下。
td-agent-2.1.5-0.x86_64
fluentd 0.10.61
我现在有一个使用多行格式的尾部输入插件,它可以从日志中解析多行并设置为单个记录,如下所示。
2016-07-31T14:48:06+09:00 arm {"val1":"15:49:18.602384","val2":"5009","val3":"4896","val4":"3905","val5":"1811","val6":"10287","val7":"10271","val8":"1509","val9":"11064","val10":"10832","val11":"10673","val12":"9553","val13":"10660","val14":"9542","val15":"15:49:18.602509","val16":"3759","val17":"4758","val18":"2930","val19":"1261","val20":"7761","val21":"7767","val22":"1023","val23":"7905","val24":"7711","val25":"7918","val26":"7292","val27":"7940","val28":"6907"}
我需要将所有字段从 1 条记录拆分为 28 条记录,以便 elasticsearch 识别为不同的文档。
喜欢 ,
值1
值2
值3
...
val28
有什么方法可以在 fluentd 配置中实现这一点吗?也许,嵌入 ruby 代码?
谨致问候,渡边优
答案1
您需要提供一个正则表达式来单独解析字段,并将日志消息的 json 部分设置为字段message,时间戳应存储在字段中time,或者@timestamp它应该按您的预期工作,其中 ElasticSearch 会自动解释 json 有效负载。