0

我正在使用官方图像在 docker 上使用 ELK 6.7.0。这是我的 conf 文件:

input {
  file {
    path => "/usr/share/logstash/logs/*.xml"
    type => "xml"
    sincedb_path => "/dev/null"
    codec => multiline {
      pattern => "<root>"
      negate => "true"
      what => "previous"
    }
  }
}

filter {  
  xml {
    source => "message"
    store_xml => false
    xpath => [
        "/root/ChainId/text()", "ChainId",
        "/root/SubChainId/text()", "SubChainId",
        "/root/StoreId/text()", "StoreId",
        "/root/BikoretNo/text()", "BikoretNo",
        "/root/DllVerNo/text()", "DllVerNo"
    ]
  }
}

output {
  elasticsearch {
    hosts => "elasticsearch:9200"
    index => "xml_index"
  }

  stdout { 
    codec => rubydebug 
  }
}

我的 XML 文件是:

<?xml version="1.0" encoding="UTF-8"?>
<root>
    <ChainId>7290027600007</ChainId>
    <SubChainId>001</SubChainId>
    <StoreId>001</StoreId>
    <BikoretNo>9</BikoretNo>
    <DllVerNo>8.0.1.3</DllVerNo>
</root>

我正在尝试解析传入的 XML 文件,但是当在路径文件夹 logstash 上创建新文件时,将其解析如下:

logstash_1 | {
logstash_1 | "路径" => "/usr/share/logstash/logs/example10.xml",
logstash_1 | "@version" => "1",
logstash_1 | "消息" => "<?xml 版本=\"1.0\" 编码=\"UTF-8\"?>",
logstash_1 | “类型” => “xml”,
logstash_1 | "@timestamp" => 2019-04-02T04:42:59.248Z,
logstash_1 | “主机”=>“a4f1bf64a3d5”
logstash_1 | }

但是,当我重新加载我的 conf 文件时,Logstash 出人意料地成功解析了我的 XML:

logstash_1 | {
logstash_1 | “商店 ID”=> [
logstash_1 | [0] "001"
logstash_1 | ],
logstash_1 | "message" => "<root>\n <ChainId>7290027600007</ChainId>\n <SubChainId>001</SubChainId>\n <StoreId>001</StoreId>\n <BikoretNo>9</BikoretNo>\ n <DllVerNo>8.0.1.3</DllVerNo>",
logstash_1 | “DllVerNo”=> [
logstash_1 | [0]“8.0.1.3”
logstash_1 | ],
logstash_1 | “类型” => “xml”,
logstash_1 | “子链 ID” => [
logstash_1 | [0] "001"
logstash_1 | ],
logstash_1 | “BikoretNo”=> [
logstash_1 | [0] “9”
logstash_1 | ],
logstash_1 | "路径" => "/usr/share/logstash/logs/example10.xml",
logstash_1 | "@version" => "1",
logstash_1 | “链 ID”=> [
logstash_1 | [0] "7290027600007"
logstash_1 | ],
logstash_1 | “标签” => [
logstash_1 | [0]“多行”
logstash_1 | ],
logstash_1 | "@timestamp" => 2019-04-02T04:43:18.439Z,
logstash_1 | “主机”=>“a4f1bf64a3d5”
logstash_1 | }
logstash_1 | {
logstash_1 | “商店 ID”=> [
logstash_1 | [0] "001"
logstash_1 | ],
logstash_1 | "message" => "<root>\n <ChainId>7290027600007</ChainId>\n <SubChainId>001</SubChainId>\n <StoreId>001</StoreId>\n <BikoretNo>9</BikoretNo>\ n <DllVerNo>8.0.1.3</DllVerNo>",
logstash_1 | “DllVerNo”=> [
logstash_1 | [0]“8.0.1.3”
logstash_1 | ],
logstash_1 | “类型” => “xml”,
logstash_1 | “子链 ID” => [
logstash_1 | [0] "001"
logstash_1 | ],
logstash_1 | “BikoretNo”=> [
logstash_1 | [0] “9”
logstash_1 | ],
logstash_1 | "路径" => "/usr/share/logstash/logs/example11.xml",
logstash_1 | "@version" => "1",
logstash_1 | “链 ID”=> [
logstash_1 | [0] "7290027600007"
logstash_1 | ],
logstash_1 | “标签” => [
logstash_1 | [0]“多行”
logstash_1 | ],
logstash_1 | "@timestamp" => 2019-04-02T04:43:18.440Z,
logstash_1 | “主机”=>“a4f1bf64a3d5”
logstash_1 | }

两个事件中的消息字段是文件的不同部分,看起来 Logstash 在模式之前和之后拆分文件。即便如此,不清楚为什么它只是在重新加载 conf 文件时这样做。

4

1 回答 1

0

是的你是对的。它根据多行模式拆分每个事件。要按原样发送整个文件,请使用从不匹配的模式。输入定义中的类似内容。

codec => multiline { pattern => "^Spalanzani" negate => true what => "previous" auto_flush_interval => 1 }
于 2019-04-02T11:16:44.960 回答