다중 라인 코덱 오류입니까?

Question

여러 줄 코덱의 TIMESTAMP 필드에서 로그를 구문 분석 할 때 대괄호 안에있는 TIMESTAMP 필드에 대한 오류 출력이 표시됩니다.

구성 :

input { 
    file { 
    path => "D:\logstash\logstash-2.4.0\bin\slowlogs.txt" 
    start_position => "beginning" 
    codec => multiline { 
     pattern => "^%{TIMESTAMP_ISO8601} " 
     negate => true 
     what => previous 
    } 
    } 
} 

output { 
    stdout { codec => rubydebug } 
} 

로그 :

[2015-08-24 11:49:14,389] [INFO ][env      ] [Letha] using [1] data paths, mounts [[/ 
(/dev/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs] 
[2015-08-24 11:49:14,389] [INFO ][env      ] [Letha] using [1] data paths, mounts [[/ 
(/dev/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs] 
[2015-08-24 11:49:14,389] [INFO ][env      ] [Letha] using [1] data paths, mounts [[/ 
(/dev/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs] 

출력 :

{ 
    "@timestamp" => "2017-05-23T11:19:10.635Z", 
     "message" => "[2015-08-24 11:49:14,389] [INFO ][env 
] [Letha] using [1] data paths, mounts [[/\r\n(/dev/disk1)]], net usable_space [ 
34.5gb], net total_space [118.9gb], types [hfs]\r\n[2015-08-24 11:49:14,389] [IN 
FO ][env      ] [Letha] using [1] data paths, mounts [[/\r\n(/de 
v/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs]\r\ 
n[2015-08-24 11:49:14,389] [INFO ][env      ] [Letha] using [1] 
data paths, mounts [[/\r\n(/dev/disk1)]], net usable_space [34.5gb], net total_s 
pace [118.9gb], types [hfs]\r\n\r\n\r", 
     "@version" => "1", 
      "tags" => [ 
     [0] "multiline" 
    ], 
      "path" => "D:\\logstash\\logstash-2.4.0\\bin\\slowlogs.txt", 
      "host" => "PC326815" 
} 

같은 로그

2015-08-24 11:49:14,389 [INFO ][env      ] [Letha] using [1] data paths, mounts [[/ 
(/dev/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs] 
2015-08-24 11:49:14,389 [INFO ][env      ] [Letha] using [1] data paths, mounts [[/ 
(/dev/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs] 
2015-08-24 11:49:14,389 [INFO ][env      ] [Letha] using [1] data paths, mounts [[/ 
(/dev/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs] 

,369,136 []에서 제거3210

실행 된 동일한 설정이 같은 결과를 얻었다 :

이 괜찮나 내가 괄호 []의 타임 스탬프 필드이를 달성 할 수있는 저 적절한 출력을주고

{ 
    "@timestamp" => "2017-05-23T11:25:48.075Z", 
     "message" => "2015-08-24 11:49:14,389 [INFO ][env      ] 
[Letha] using [1] data paths, mounts [[/\r\n(/dev/disk1)]], net usable_space [3 
.5gb], net total_space [118.9gb], types [hfs]\r", 
     "@version" => "1", 
      "tags" => [ 
     [0] "multiline" 
    ], 
      "path" => "D:\\logstash\\logstash-2.4.0\\bin\\slowlogs.txt", 
      "host" => "PC326815" 
} 
{ 
    "@timestamp" => "2017-05-23T11:25:48.278Z", 
     "message" => "2015-08-24 11:49:14,389 [INFO ][env      ] 
[Letha] using [1] data paths, mounts [[/\r\n(/dev/disk1)]], net usable_space [3 
.5gb], net total_space [118.9gb], types [hfs]\r", 
     "@version" => "1", 
      "tags" => [ 
     [0] "multiline" 
    ], 
      "path" => "D:\\logstash\\logstash-2.4.0\\bin\\slowlogs.txt", 
      "host" => "PC326815" 
} 
←[33mSIGINT received. Shutting down the agent. {:level=>:warn}←[0m 
stopping pipeline {:id=>"main"} 
{ 
    "@timestamp" => "2017-05-23T11:25:57.421Z", 
     "message" => "2015-08-24 11:49:14,389 [INFO ][env      ] 
[Letha] using [1] data paths, mounts [[/\r\n(/dev/disk1)]], net usable_space [3 
.5gb], net total_space [118.9gb], types [hfs]\r\n\r\n\r", 
     "@version" => "1", 
      "tags" => [ 
     [0] "multiline" 
    ], 
      "path" => "D:\\logstash\\logstash-2.4.0\\bin\\slowlogs.txt", 
      "host" => "PC326815" 
} 

.

는 또한 I => "^\[%{TIMESTAMP_ISO8601}\] " THANKS에게

Answer 1

문제 나 입력에서 언급 한 여러 패턴 인 패턴을 부여하여 시험해 보았다. 다음과 같이해야합니다.

input { 
    file { 
    path => "D:\logstash\logstash-2.4.0\bin\slowlogs.txt" 
    start_position => "beginning" 
    codec => multiline { 
     pattern => "^\[%{TIMESTAMP_ISO8601:TIMESTAMP}\]" 
     negate => true 
     what => previous 
    } 
    } 
} 

output { 
    stdout { codec => rubydebug } 
}