【发布时间】:2020-05-30 01:45:05
【问题描述】:
我有 filebeat->ES setup.no logstash。 我有如下日志:
2020 Feb 11 06:56:30:554 GMT -0500 DEBUG [LogPool$0] com.ZU.digital.utilityservices.logging.Logging - EAI-DEBUG | ProcessOrderStatus.rule: Id - : OrderStatusNotification Payload : <?xml version="1.0" encoding="UTF-8"?>
<ns0:OSN >
ns0:merchantID200142</ns0:merchantID>
ns0:orderCode2003787391047586</ns0:orderCode>
ns0:lastEventCAPTURED</ns0:lastEvent>
ns0:paymentAmount12.90</ns0:paymentAmount>
ns0:paymentCurrencyEUR</ns0:paymentCurrency>
ns0:paymentCreditDebitINDC</ns0:paymentCreditDebitIND>
ns0:additionalData
ns0:data
ns0:name/
ns0:value/
</ns0:data>
</ns0:additionalData>
</ns0:OSN>
2020 Feb 11 06:56:30:554 GMT -0500 DEBUG [LogPool$0] com.ZU.digital.utilityservices.logging.Logging - Masking input XML in maskEntireXml
我有多行模式:
multiline.pattern: '^[0-9]{4}[[:space:]]'
# Defines if the pattern set under pattern should be negated or not. Default is false.
multiline.negate: true
# Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
# that was (not) matched before or after or as long as a pattern is not matched based on negate.
# Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
multiline.match: after
但每一行都被视为单个事件。正则表达式在 playgolang 中经过测试并且工作正常。我希望日志作为日期之间的单个事件
【问题讨论】:
-
当我测试模式'^error:'并给出以“error”开头的行输入时,它给出了预期的输出。但在使用 ^[0-9]{4} 并提供以“2020”等开头的输入时不起作用
标签: elasticsearch logstash elastic-stack filebeat