[root@10-19-148-59 etc]# cat test_front_console.conf input { beats { type => beats port => 5077 } } filter { if [type] == 'test-front' { multiline { pattern => ".*##.*" negate => true what => "previous" } grok { patterns_dir => "/data/package/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns" match => {"message"=>"%{DATA:date} %{LOGLEVEL:LEVEL} %{JAVACLASS:class} %{NOTSPACE:thread} %{NOTSPACE:requestId} %{MSG:msg}"} remove_field => ['@version'] remove_field => ['message'] remove_field => ['offset'] remove_field => ['source'] remove_field => ['input_type'] remove_field => ['beat'] } } if [type] == 'test-esb' { multiline { pattern => ".*##.*" negate => true what => "previous" } grok { remove_field => ['@version'] remove_field => ['offset'] remove_field => ['source'] remove_field => ['input_type'] remove_field => ['beat'] } } } output { if [type] == 'test-front' { elasticsearch { hosts => ["10.19.148.59:9200"] index => "test-front-%{+YYYY.MM.dd}" } stdout { codec => rubydebug } } if [type] == 'test-esb' { elasticsearch { hosts => ["10.19.148.59:9200"] index => "test-esb-%{+YYYY.MM.dd}" } } }
添加下面一个正则表达式
[root@10-19-148-59 patterns]# cat msg MSG (.| | )*