我有filebeat-> ES setup.no logstash。
我有如下日志:
2020 Feb 11 06:56:30:554 GMT -0500 DEBUG [LogPool$0] com.ZU.digital.utilityservices.logging.Logging - EAI-DEBUG | ProcessOrderStatus.rule: Id - : OrderStatusNotification Payload : <?xml version="1.0" encoding="UTF-8"?>
<ns0:OSN >
ns0:merchantID200142</ns0:merchantID>
ns0:orderCode2003787391047586</ns0:orderCode>
ns0:lastEventCAPTURED</ns0:lastEvent>
ns0:paymentAmount12.90</ns0:paymentAmount>
ns0:paymentCurrencyEUR</ns0:paymentCurrency>
ns0:paymentCreditDebitINDC</ns0:paymentCreditDebitIND>
ns0:additionalData
ns0:data
ns0:name/
ns0:value/
</ns0:data>
</ns0:additionalData>
</ns0:OSN>
2020 Feb 11 06:56:30:554 GMT -0500 DEBUG [LogPool$0] com.ZU.digital.utilityservices.logging.Logging - Masking input XML in maskEntireXml
我有多行模式为:
multiline.pattern: '^[0-9]{4}[[:space:]]'
# Defines if the pattern set under pattern should be negated or not. Default is false.
multiline.negate: true
# Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
# that was (not) matched before or after or as long as a pattern is not matched based on negate.
# Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
multiline.match: after
但每行都被视为单个事件。正则表达式已在playgolang中进行了测试,并且工作正常。我希望日志在日期之间成为单个事件
最佳答案
求反后得到解决:true
关于elasticsearch - 多行正则表达式不适用于filebeat,但可以在goplay测试器中使用,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60223274/