logstash - 在 Logstash 中解析多行日志文件

Question

我有一个如下所述的日志文件。我想使用logstash解析这个文件。

2015-06-10 05:11:37,799 [good][status] [ErrorAttribute - AN EXCEPTION OCCURED: 
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
]2015-06-10 05:36:35,517 [50][ERROR] [ErrorAttribute - AN EXCEPTION OCCURED: 
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
]

我想像下面的字段格式一样解析上面的文件

@timestamp - 2015-06-10 05:11:37,799
Quality - good
Status- Pass
Details - ErrorAttribute - AN EXCEPTION OCCURED: 
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1

我想继续这一步直到我使用了 grok 表达式的文件结束，因为日志信息包含很多行，所以 grokparse 失败。我希望grok能逐行申请。

我想将信息解析为像这样的单独事件作为一个事件

2015-06-10 05:11:37,799 [50][ERROR] [ErrorAttribute - AN EXCEPTION OCCURED: 
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
Exception Occured1
]

这是另一个事件

2015-06-10 05:36:35,517 [50][ERROR] [ErrorAttribute - AN EXCEPTION OCCURED: 
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
Exception DiffernetOccured1
]

如何在 Logstash 过滤器中实现这一点。

Answer 1

您需要使用多行编解码器或过滤器将行合并为一个事件进行处理。

Answer 2

我使用多行过滤器将消息分组为单个事件，并通过使用拆分过滤器，我拆分为多个事件并解析 Logstash 中的信息。

谢谢@Alain 的建议。