logstash通过grok插件匹配springBoot默认日志

背景：在 Logstash数据源为日志文件操作 基础上进行

一、修改配置

1. logstash.conf文件修改为如下

input { 
    stdin { } 
    file {
        # 容器中日志所在目录的文件
        path => ["/usr/share/logstash/logs/*.log"]
        # 多行匹配方法1
        codec => multiline {
            pattern => "^(%{TIMESTAMP_ISO8601})"
            negate => true
            what => "previous"
        }
        sincedb_path => "NUL"
        type => "spring"
        start_position => "beginning"
    }
}

filter {
    if [type] == "spring" {
        # 多行匹配方法2
       # multiline {
            # pattern => "^(%{TIMESTAMP_ISO8601})"
            # negate => true
            # what => "previous"
       # }
        grok {
            # Do multiline matching with (?m) as the above mutliline filter may add newlines to the log messages.
            match => [ "message", "(?m)^%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:logLevel}%{SPACE}%{NUMBER:pid}%{SPACE}---%{SPACE}%{SYSLOG5424SD:threadName}%{SPACE}%{NOTSPACE:loggerName}%{SPACE}:%{SPACE}%{GREEDYDATA:message}" ]
            # 覆盖原有的message
            overwrite=> [ "message" ]
        }
   }
}


output {
    if [type] == "spring" {
        elasticsearch {
            hosts => ["es:9200"]
            index => "spring-%{+YYYY.MM.dd}"
        }
    }
	stdout { codec => rubydebug }
}

二、模拟日志

1. D:\usr\local\logs目录下添加日志文件spring-2020-05-25.log，内容如下

2020-05-15 17:54:50.805 DEBUG 8296 --- [scheduling-1] org.jooq.tools.LoggerListener            : Executing query          : select id from user
2020-05-15 17:54:52.945 DEBUG 1012 --- [scheduling-1] org.jooq.tools.LoggerListener            : Executing query          : select id from user
2020-05-21 19:55:52.945 DEBUG 1012 --- [scheduling-1] org.jooq.tools.LoggerListener            : Executing query