logstash：http 输入只需要第一行（带有 csv 过滤器）

Question

我是 elk 堆栈的新手，并试图监控通过 http 发送的日志。我有以下logstash配置。但它只读取第一行并将第一行发送到弹性搜索，尽管我在我的 http POST 请求正文中发送了多行（我使用 chromes DHC 插件将 http 请求发送到 logstash）。请帮我阅读完整数据并将它们发送到弹性搜索。

input {
  http {
    host => "127.0.0.1" # default: 0.0.0.0
    port => 8081 # default: 8080
    threads => 10
  }
}

filter {
  csv {
      separator => ","
      columns => ["posTimestamp","posCode","logLevel","location","errCode","errDesc","detail"]
  }
  date {
    match => ["posTimestamp", "ISO8601"]
  }
  mutate {
     strip => ["posCode", "logLevel", "location", "errCode", "errDesc" ]
     remove_field => [ "path", "message", "headers" ]
  }
}

output { 
    elasticsearch {
      protocol => "http"
      host => "localhost"
      index => "temp"
    }
    stdout { 
        codec => rubydebug
    }
}

样本数据： 2015-08-24T05:21:40.468,352701060205140,ERROR,Colombo,ERR_01,INVALID_CARD,测试 POS 错误 2015-08-24T05:21:41.468,352701060205140,ERROR,Colombo,ERR_01,INVALID_CARD,测试 POS 错误 2015-08-24T05:23:40.468,81021320,ERROR,Colombo,ERR_01,INVALID_CARD,测试 POS 错误 2015-08-25T05:23:50.468,352701060205140,ERROR,Colombo,ERR_02,TIME_OUT,测试 POS 错误

Answer 1

通过添加拆分过滤器设法解决了这个问题。

拆分{ }