为了让我们的error日志不换行,我们就需要引入multiline这个中间键
因为logstash本身不带,所以需要我们安装,在我们的logstash的bin目录下执行
E:\tools\logstash\logstash-6.8.23\bin>logstash-plugin.bat install logstash-fi
lter-multiline如下,出现successful则表示安装成功
E:\tools\logstash\logstash-6.8.23\bin> logstash-plugin.bat install logstash-filt
er-multiline
Validating logstash-filter-multiline
Installing logstash-filter-multiline
Installation successful
其次我们就需要重新配置logstash的配置文件logstash.conf
配置文件的filter部分如下
filter {
multiline {
pattern => "^[0-9]{4}-[0-9]{2}-[0-9]{2}\ [0-9]{2}:[0-9]{2}:[0-9]{2}" # 正则匹配以[开头的
negate => true # true:表示不匹配正则表达式时,false:匹配正则表达式时(negate相反的)
what => "previous" # 设置未匹配的内容是向前合并还是先后合并,previous向前合并,next向后合并
}
}完整内容如下:
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
file{
path => ["D:/log/documentdemo/*.log"]
start_position => "beginning"
# type随便填写个名字
type => "document-demo-system"
}
file{
path => ["D:/log/say/*.log"]
start_position => "beginning"
type => "say-system"
}
}
filter {
multiline {
pattern => "^[0-9]{4}-[0-9]{2}-[0-9]{2}\ [0-9]{2}:[0-9]{2}:[0-9]{2}" # 正则匹配以[开头的
negate => true # true:表示不匹配正则表达式时,false:匹配正则表达式时(negate相反的)
what => "previous" # 设置未匹配的内容是向前合并还是先后合并,previous向前合并,next向后合并
}
}
output {
if [type] == "document-demo-system" {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "document-logs-%{+YYYY.MM.dd}"
}
}
if [type] == "say-system" {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "say-logs-%{+YYYY.MM.dd}"
}
}
# 可选:将日志输出到控制台进行调试
# stdout { codec => rubydebug }
}
至此就能看到我们的ERROR日志不换行的结果了