我正在使用官方图像在 docker 上使用 ELK 6.7.0。这是我的 conf 文件:
input {
file {
path => "/usr/share/logstash/logs/*.xml"
type => "xml"
sincedb_path => "/dev/null"
codec => multiline {
pattern => "<root>"
negate => "true"
what => "previous"
}
}
}
filter {
xml {
source => "message"
store_xml => false
xpath => [
"/root/ChainId/text()", "ChainId",
"/root/SubChainId/text()", "SubChainId",
"/root/StoreId/text()", "StoreId",
"/root/BikoretNo/text()", "BikoretNo",
"/root/DllVerNo/text()", "DllVerNo"
]
}
}
output {
elasticsearch {
hosts => "elasticsearch:9200"
index => "xml_index"
}
stdout {
codec => rubydebug
}
}
我的 XML 文件是:
<?xml version="1.0" encoding="UTF-8"?>
<root>
<ChainId>7290027600007</ChainId>
<SubChainId>001</SubChainId>
<StoreId>001</StoreId>
<BikoretNo>9</BikoretNo>
<DllVerNo>8.0.1.3</DllVerNo>
</root>
我正在尝试解析传入的 XML 文件,但是当在路径文件夹 logstash 上创建新文件时,将其解析如下:
logstash_1 | { logstash_1 | "路径" => "/usr/share/logstash/logs/example10.xml", logstash_1 | "@version" => "1", logstash_1 | "消息" => "<?xml 版本=\"1.0\" 编码=\"UTF-8\"?>", logstash_1 | “类型” => “xml”, logstash_1 | "@timestamp" => 2019-04-02T04:42:59.248Z, logstash_1 | “主机”=>“a4f1bf64a3d5” logstash_1 | }
但是,当我重新加载我的 conf 文件时,Logstash 出人意料地成功解析了我的 XML:
logstash_1 | { logstash_1 | “商店 ID”=> [ logstash_1 | [0] "001" logstash_1 | ], logstash_1 | "message" => "<root>\n <ChainId>7290027600007</ChainId>\n <SubChainId>001</SubChainId>\n <StoreId>001</StoreId>\n <BikoretNo>9</BikoretNo>\ n <DllVerNo>8.0.1.3</DllVerNo>", logstash_1 | “DllVerNo”=> [ logstash_1 | [0]“8.0.1.3” logstash_1 | ], logstash_1 | “类型” => “xml”, logstash_1 | “子链 ID” => [ logstash_1 | [0] "001" logstash_1 | ], logstash_1 | “BikoretNo”=> [ logstash_1 | [0] “9” logstash_1 | ], logstash_1 | "路径" => "/usr/share/logstash/logs/example10.xml", logstash_1 | "@version" => "1", logstash_1 | “链 ID”=> [ logstash_1 | [0] "7290027600007" logstash_1 | ], logstash_1 | “标签” => [ logstash_1 | [0]“多行” logstash_1 | ], logstash_1 | "@timestamp" => 2019-04-02T04:43:18.439Z, logstash_1 | “主机”=>“a4f1bf64a3d5” logstash_1 | } logstash_1 | { logstash_1 | “商店 ID”=> [ logstash_1 | [0] "001" logstash_1 | ], logstash_1 | "message" => "<root>\n <ChainId>7290027600007</ChainId>\n <SubChainId>001</SubChainId>\n <StoreId>001</StoreId>\n <BikoretNo>9</BikoretNo>\ n <DllVerNo>8.0.1.3</DllVerNo>", logstash_1 | “DllVerNo”=> [ logstash_1 | [0]“8.0.1.3” logstash_1 | ], logstash_1 | “类型” => “xml”, logstash_1 | “子链 ID” => [ logstash_1 | [0] "001" logstash_1 | ], logstash_1 | “BikoretNo”=> [ logstash_1 | [0] “9” logstash_1 | ], logstash_1 | "路径" => "/usr/share/logstash/logs/example11.xml", logstash_1 | "@version" => "1", logstash_1 | “链 ID”=> [ logstash_1 | [0] "7290027600007" logstash_1 | ], logstash_1 | “标签” => [ logstash_1 | [0]“多行” logstash_1 | ], logstash_1 | "@timestamp" => 2019-04-02T04:43:18.440Z, logstash_1 | “主机”=>“a4f1bf64a3d5” logstash_1 | }
两个事件中的消息字段是文件的不同部分,看起来 Logstash 在模式之前和之后拆分文件。即便如此,不清楚为什么它只是在重新加载 conf 文件时这样做。