filebeat multiline配置(转)

使用filebeat5.0.1版本，用filebeat作为日志收集工具时：
java日志格式需要多行匹配，在filebeat配置文件中添加：
### Multiline options
# Mutiline can be used for log messages spanning multiple lines. This is common
# for Java Stack Traces or C-Line Continuation
# The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
multiline.pattern: ^[
# Defines if the pattern set under pattern should be negated or not. Default is false.
multiline.negate: true
# Match can be set to “after” or “before”. It is used to define if lines should be append to a pattern
# that was (not) matched before or after or as long as a pattern is not matched based on negate.
# Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
multiline.match: after

上面配置的意思是：不以[开头的行都合并到上一行的末尾

pattern：正则表达式

negate：true 或 false；默认是false，匹配pattern的行合并到上一行；true，不匹配pattern的行合并到上一行

match：after 或 before，合并到上一行的末尾或开头

filebeat.prospectors:

• input_type: log

  paths:

  • /home/work/workspace/ws/risk_rebuild/log/*.log

  multiline:
  pattern: ‘^\d{4}-\d{2}-\d{2}’
  negate: true
  match: after
  max_lines: 20
  timeout: 5s
  tail_files: false

output.elasticsearch:
# Array of hosts to connect to.
hosts: [“172.16.102.102:9200”,”172.16.102.103:9200”,”172.16.102.104:9200”]
index: “risk_engine