文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
首页
学习
活动
专区
圈层
工具
MCP广场
返回腾讯云官网
社区首页 >问答首页 >匹配Filebeat多行模式中的完整单词的模式

匹配Filebeat多行模式中的完整单词的模式
EN

Stack Overflow用户
提问于 2016-10-06 13:58:12
回答 1查看 854关注 0票数 1

我在filebeat.yml中使用Filebeat模式,它从单个文件中获取输入,如下所示:

代码语言:javascript
运行
复制
2016-10-06 14:36:00.419 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : requestStartIdentifier: Identifier
2016-10-06 14:36:00.419 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : requestUri: 
2016-10-06 14:36:00.420 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : HttpServletRequest:
	ContentType: text/xml; charset=utf-8
	ContextPath: 
	LocalAddr: 
	LocalName: 
	PathInfo: 
	PathTranslated: 
	QueryString: 
	RequestURI: 
	RequestURL: 
	RemoteHost: 
	ServletPath: 
	Header: Host: 
	Header: Content-Length: 
	Header: Accept-Encoding: 
	Header: SOAPAction: ""
	Header: User-Agent: Apache-HttpClient/4.2.1 
	Header: Content-Type: text/xml; charset=utf-8
	Header: Connection: Keep-Alive
	Header: Accept: text/xml
	
2016-10-06 14:36:00.420 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : uri: , request:
<env:Envelope></env:Envelope>

2016-10-06 14:36:00.419 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : requestStartIdentifier: Identifier
2016-10-06 14:36:00.419 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : requestUri: 
2016-10-06 14:36:00.420 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : HttpServletRequest:
	ContentType: text/xml; charset=utf-8
	ContextPath: 
	LocalAddr: 
	LocalName: 
	PathInfo: 
	PathTranslated: 
	QueryString: 
	RequestURI: 
	RequestURL: 
	RemoteHost: 
	ServletPath: 
	Header: Host: 
	Header: Content-Length: 
	Header: Accept-Encoding: 
	Header: SOAPAction: ""
	Header: User-Agent: Apache-HttpClient/4.2.1 
	Header: Content-Type: text/xml; charset=utf-8
	Header: Connection: Keep-Alive
	Header: Accept: text/xml
	
2016-10-06 14:36:00.420 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : uri: , request:
<env:Envelope></env:Envelope>

filebeat.yml

代码语言:javascript
运行
复制
multiline:
pattern: Identifier
negate: true
match: after

我使用上面的配置来匹配行中的“标识符”。输出应按要求进行

代码语言:javascript
运行
复制
event -1 :
2016-10-06 14:36:00.419 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : requestStartIdentifier: Identifier
2016-10-06 14:36:00.419 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : requestUri: 
2016-10-06 14:36:00.420 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : HttpServletRequest:
	ContentType: text/xml; charset=utf-8
	ContextPath: 
	LocalAddr: 
	LocalName: 
	PathInfo: 
	PathTranslated: 
	QueryString: 
	RequestURI: 
	RequestURL: 
	RemoteHost: 
	ServletPath: 
	Header: Host: 
	Header: Content-Length: 
	Header: Accept-Encoding: 
	Header: SOAPAction: ""
	Header: User-Agent: Apache-HttpClient/4.2.1 
	Header: Content-Type: text/xml; charset=utf-8
	Header: Connection: Keep-Alive
	Header: Accept: text/xml
	
2016-10-06 14:36:00.420 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : uri: , request:
<env:Envelope></env:Envelope>

event -2 :
2016-10-06 14:36:00.419 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : requestStartIdentifier: Identifier
2016-10-06 14:36:00.419 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : requestUri: 
2016-10-06 14:36:00.420 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : HttpServletRequest:
	ContentType: text/xml; charset=utf-8
	ContextPath: 
	LocalAddr: 
	LocalName: 
	PathInfo: 
	PathTranslated: 
	QueryString: 
	RequestURI: 
	RequestURL: 
	RemoteHost: 
	ServletPath: 
	Header: Host: 
	Header: Content-Length: 
	Header: Accept-Encoding: 
	Header: SOAPAction: ""
	Header: User-Agent: Apache-HttpClient/4.2.1 
	Header: Content-Type: text/xml; charset=utf-8
	Header: Connection: Keep-Alive
	Header: Accept: text/xml
	
2016-10-06 14:36:00.420 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : uri: , request:
<env:Envelope></env:Envelope>

filebeat
EN

回答 1

Stack Overflow用户

回答已采纳

发布于 2016-10-06 14:44:48

根据您的示例输入,看起来我们可以使用包含requestStartIdentifier: Identifier的行来表示新事件的开始。我使用https://play.golang.org/p/BZ2ujeOZZ-测试不同的多行参数。

File节拍配置:

代码语言:javascript
运行
复制
filebeat:
  prospectors:
    - input_type: log
      paths:
        - input.txt
      multiline:
        pattern: 'requestStartIdentifier: Identifier$'
        negate:  true
        match:   after

output:
  console:
    pretty: true

Filebeat输出(新行扩展):

代码语言:javascript
运行
复制
{
  "@timestamp": "2016-10-06T21:51:27.244Z",
  "beat": {
    "hostname": "host",
    "name": "host"
  },
  "input_type": "log",
  "message": "2016-10-06 14:36:00.419 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : requestStartIdentifier: Identifier
2016-10-06 14:36:00.419 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : requestUri: 
2016-10-06 14:36:00.420 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : HttpServletRequest:
    ContentType: text/xml; charset=utf-8
    ContextPath: 
    LocalAddr: 
    LocalName: 
    PathInfo: 
    PathTranslated: 
    QueryString: 
    RequestURI: 
    RequestURL: 
    RemoteHost: 
    ServletPath: 
    Header: Host: 
    Header: Content-Length: 
    Header: Accept-Encoding: 
    Header: SOAPAction: \"\"
    Header: User-Agent: Apache-HttpClient/4.2.1 
    Header: Content-Type: text/xml; charset=utf-8
    Header: Connection: Keep-Alive
    Header: Accept: text/xml

2016-10-06 14:36:00.420 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : uri: , request:
\u003cenv:Envelope\u003e\u003c/env:Envelope\u003e
",
  "offset": 962,
  "source": "input.txt",
  "type": "log"
}
{
  "@timestamp": "2016-10-06T21:51:27.244Z",
  "beat": {
    "hostname": "host",
    "name": "host"
  },
  "input_type": "log",
  "message": "2016-10-06 14:36:00.419 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : requestStartIdentifier: Identifier
2016-10-06 14:36:00.419 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : requestUri: 
2016-10-06 14:36:00.420 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : HttpServletRequest:
    ContentType: text/xml; charset=utf-8
    ContextPath: 
    LocalAddr: 
    LocalName: 
    PathInfo: 
    PathTranslated: 
    QueryString: 
    RequestURI: 
    RequestURL: 
    RemoteHost: 
    ServletPath: 
    Header: Host: 
    Header: Content-Length: 
    Header: Accept-Encoding: 
    Header: SOAPAction: \"\"
    Header: User-Agent: Apache-HttpClient/4.2.1 
    Header: Content-Type: text/xml; charset=utf-8
    Header: Connection: Keep-Alive
    Header: Accept: text/xml

2016-10-06 14:36:00.420 DEBUG 29695 --- [XNIO-2 task-2] c.a.a.s.endpoint.endone.server  : uri: , request:
\u003cenv:Envelope\u003e\u003c/env:Envelope\u003e",
  "offset": 1923,
  "source": "input.txt",
  "type": "log"
}
票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/39897991

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2025 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 深公网安备号 44030502008569

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号 | 京公网安备号11010802020287

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档