样例:
filebeat.inputs:
- type: log
enabled: true
encoding: gbk
paths:
- /home/lislog/lis74.log
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
tags: ["lislog"]
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
output.logstash:
hosts: ["20.9.255.50:5044"]
processors:
- drop_fields:
fields: ["@version", "_id", "offset","_index","_score","beat.version","beat.hostname","input_type","type"]
合并多行的表达式:
'^[0-9]{4}-[0-9]{2}-[0-9]{2}' # 合并时间戳开始的日志 类似:[2015-08-24 11:49:14,389]
'^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}' # 合并时间戳开始的日志 类似:[2015-08-24 11:49:14,389]
'^\[' # Filebeat将所有不以[开始的行与之前的行进行合并
'^[[:space:]]' # Filebeat将任意以空格开始的行合并到前一行
'^[[:space:]]+(at|\.{3})\b|^Caused by:'
'\\$' # Filebeat将合并任意以\结尾的行
'^\[|^[0-9]{4}-[0-9]{2}-[0-9]{2}|^[0-9]{1,3}\.[0-9]{1,3}'
[2015-08-24 11:49:14,389] Start new event
[2015-08-24 11:49:14,395] Content of processing something
[2015-08-24 11:49:14,399] End event
这样的事件可以配置如下多行合并:
multiline.pattern: 'Start new event'
multiline.negate: true
multiline.match: after
multiline.flush_pattern: 'End event'
Filebeat有几个接受正则表达式的配置选项。例如multiline.pattern, include_lines,exclude_lines,和 exclude_files所有接受正则表达式。
注意:建议正则放在单引号内,例如'^\[?[0-9][0-9]:?[0-9][0-9]|^[[:graph:]]+'。
作者:与狼共舞666
链接:https://www.jianshu.com/p/77071435bf05
来源:简书
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。
| 样例 | 描述 |
|---|---|
| 单个字符 | |
| x | 单个字符 |
| . | 任何字符 |
| [xyz] | 字符类 |
| [^xyz] | 非字符类 |
| [[:alpha:]] | ASCII字符类 |
| [[:^alpha:]] | 非ASCII字符类 |
| \d | Perl字符类 |
| \D | 非Perl字符类 |
| \pN | Unicode字符类(一个字母的名称) |
| \p{Greek} | Unicode字符类 |
| \PN | 非Unicode字符类(一个字母的名称) |
| \P{Greek} | 非Unicode字符类 |
| 复合类型 | |
| xy | 且 |
| x|y | 或 |
| 重复类型 | |
| x* | 以x开头 |
| x+ | 一个或者多个x |
| x? | 零或一个x |
| x{n,m} | n or n+1 or … or m x, prefer more |
| x{n,} | n or more x, prefer more |
| x{n} | exactly n x |
| x*? | zero or more x, prefer fewer |
| x+? | one or more x, prefer fewer |
| x?? | zero or one x, prefer zero |
| x{n,m}? | n or n+1 or … or m x, prefer fewer |
| x{n,}? | n or more x, prefer fewer |
| x{n}? | exactly n x |
| 分组 | |
| (re) | numbered capturing group (submatch) |
| (?P |
named & numbered capturing group (submatch) |
| (?:re) | non-capturing group |
| (?i)abc | set flags within current group, non-capturing |
| (?i:re) | set flags during re, non-capturing |
| (?i)PaTTeRN | case-insensitive (default false) |
| (?m)multiline | multi-line mode: ^ and $ match begin/end line in addition to begin/end text (default false) |
| (?s)pattern. | let . match \n (default false) |
| (?U)x*abc | ungreedy: swap meaning of x* and x*?, x+ and x+?, etc (default false) |
| 空字符串 | |
| ^ | at beginning of text or line (m=true) |
| $ | at end of text (like \z not \Z) or line (m=true) |
| \A | at beginning of text |
| \b | at ASCII word boundary (\w on one side and \W, \A, or \z on the other) |
| \B | not at ASCII word boundary |
| \z | at end of text |
| 转义序列 | |
| \a | bell (same as \007) |
| \f | form feed (same as \014) |
| \t | horizontal tab (same as \011) |
| \n | newline (same as \012) |
| \r | carriage return (same as \015) |
| \v | vertical tab character (same as \013) |
| * | literal *, for any punctuation character * |
| \123 | octal character code (up to three digits) |
| \x7F | two-digit hex character code |
| \x{10FFFF} | hex character code |
| \Q…\E | literal text … even if … has punctuation |
| ASCII字符类 | |
| [[:alnum:]] | alphanumeric (same as [0-9A-Za-z]) |
| [[:alpha:]] | alphabetic (same as [A-Za-z]) |
| [[:ascii:]] | ASCII (same as \x00-\x7F]) |
| [[:blank:]] | blank (same as [\t ]) |
| [[:cntrl:]] | control (same as [\x00-\x1F\x7F]) |
| [[:digit:]] | digits (same as [0-9]) |
| [[:graph:]] | graphical (same as [!-~] == [A-Za-z0-9!"#$%&’()*+,-./:;<=>?@[]^_` {|}~]) |
| [[:lower:]] | lower case (same as [a-z]) |
| [[:print:]] | printable (same as [ -~] == [ [:graph:]]) |
| [[:punct:]] | punctuation (same as [!-/😡[-`{-~]) |
| [[:space:]] | whitespace (same as [\t\n\v\f\r ]) |
| [[:upper:]] | upper case (same as [A-Z]) |
| [[:word:]] | word characters (same as [0-9A-Za-z_]) |
| [[:xdigit:]] | hex digit (same as [0-9A-Fa-f]) |
| 支持Perl字符类 | |
| \d | digits (same as [0-9]) |
| \D | not digits (same as [^0-9]) |
| \s | whitespace (same as [\t\n\f\r ]) |
| \S | not whitespace (same as [^\t\n\f\r ]) |
| \w | word characters (same as [0-9A-Za-z_]) |
| \W | not word characters (same as [^0-9A-Za-z_]) |
管理多行消息
Filebeat 收集的文件可能包含跨越多行文本的消息。例如,多行消息在包含 Java 堆栈跟踪的文件中很常见。为了正确处理这些多行事件,您需要multiline在文件中配置设置filebeat.yml以指定哪些行是单个事件的一部分。
note 如果您要将多行事件发送到 Logstash,请使用此处描述的选项来处理多行事件,然后再将事件数据发送到 Logstash。尝试在 Logstash 中实现多行事件处理(例如,通过使用 Logstash 多行编解码器)可能会导致流混合和损坏的数据。
另请阅读避免 YAML 格式问题和正则表达式支持以避免常见错误。
配置选项
filebeat.inputs您可以在配置文件部分指定以下选项,filebeat.yml以控制 Filebeat 如何处理跨多行的消息。
以下示例显示如何配置 Filebeat 以处理多行消息,其中消息的第一行以方括号 ( [) 开头。
multiline.type: pattern
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
Filebeat 获取所有不以开头的行[并将它们与之前的行合并。例如,您可以使用此配置将多行消息的以下行连接到单个事件中:
[beat-logstash-some-name-832-2015.11.28] IndexNotFoundException[no such index]
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver$WildcardExpressionResolver.resolve(IndexNameExpressionResolver.java:566)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:133)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:77)
at org.elasticsearch.action.admin.indices.delete.TransportDeleteIndexAction.checkBlock(TransportDeleteIndexAction.java:75)
multiline.type
定义要使用的聚合方法。默认值为pattern. 另一个选项是count让您聚合恒定数量的行。
multiline.pattern
指定要匹配的正则表达式模式。请注意,Filebeat 支持的正则表达式模式与 Logstash 支持的模式有些不同。有关受支持的正则表达式模式的列表,请参阅正则表达式支持。根据您配置其他多行选项的方式,与指定正则表达式匹配的行被视为前一行的延续或新多行事件的开始。您可以设置negate选项来否定模式。
multiline.negate
定义模式是否被否定。默认值为false.
multiline.match
指定 Filebeat 如何将匹配的行组合成一个事件。设置为after或before。这些设置的行为取决于您指定的内容negate:
image.png
note ** 该after设置相当于previous在Logstash中,并且before相当于next.**
multiline.flush_pattern
指定一个正则表达式,其中当前的多行将从内存中刷新,结束多行消息。
multiline.max_lines
可以组合成一个事件的最大行数。如果多行消息包含多于max_lines,则丢弃任何其他行。默认值为 500。
multiline.timeout
在指定的超时之后,即使没有找到新的模式来启动新事件,Filebeat 也会发送多行事件。默认为 5 秒。
multiline.count_lines
聚合成单个事件的行数。
multiline.skip_newline
设置后,多行事件在没有行分隔符的情况下连接。
Java 堆栈跟踪
Java 堆栈跟踪由多行组成,初始行之后的每一行都以空格开头,如下例所示:
Exception in thread "main" java.lang.NullPointerException
at com.example.myproject.Book.getTitle(Book.java:16)
at com.example.myproject.Author.getBookTitles(Author.java:25)
at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
要将这些行合并为 Filebeat 中的单个事件,请使用以下多行配置:
multiline.type: pattern
multiline.pattern: '^[[:space:]]'
multiline.negate: false
multiline.match: after
此配置将任何以空格开头的行合并到上一行。
这是一个 Java 堆栈跟踪,它提供了一个稍微复杂的示例:
Exception in thread "main" java.lang.IllegalStateException: A book has a null property
at com.example.myproject.Author.getBookIds(Author.java:38)
at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
Caused by: java.lang.NullPointerException
at com.example.myproject.Book.getId(Book.java:22)
at com.example.myproject.Author.getBookIds(Author.java:35)
... 1 more
要将这些行合并为 Filebeat 中的单个事件,请使用以下多行配置:
multiline.type: pattern
multiline.pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^Caused by:'
multiline.negate: false
multiline.match: after
In this example, the pattern matches the following lines:
- a line that begins with spaces followed by the word at or …
- a line that begins with the words Caused by:
