Logstash 配置(五)实战举例:将错误日志写入es
配置:
input {
file {
path => ["/usr/local/logstash-6.6.2/data_test/run_error.log"]
type => "error"
start_position => "beginning"
}
}
output {
elasticsearch {
hosts => ["192.168.109.133:9200"]
index => "logstash-%{type}-%{+YYYY.MM.dd}"
document_type => "%{type}"
sniffing => true
template_overwrite => true
}
}
-----------------------------------------------------------------------------
执行结果:
问题:一个错误被分成了多个document。如何解决?
解决方法-加codec配置:
input {
file {
path => ["/usr/local/logstash-6.6.2/data_test/run_error.log"]
type => "error"
start_position => "beginning"
codec=>multiline{
pattern=”^\[”
nagate=>true
what=>"orevious"
}
}
}
output {
elasticsearch {
hosts => ["192.168.109.133:9200"]
index => "logstash-%{type}-%{+YYYY.MM.dd}"
document_type => "%{type}"
sniffing => true
template_overwrite => true
}
}
浙公网安备 33010602011771号