Code Plugin

  简单来说就是在Input和Output之间做数据转换.数据进入Stash被转换成Event在输出的时候讲Event转换成需要的数据格式.

常见格式

说明

# 之前设置过logstash的环境变量.所以后文直接用logstash执行
vim ~/.zshrc
# 添加
alias logstash="/usr/local/Cellar/logstash/bin/logstash"

常用举例

# 输入一行内容通过rubydebug输出
logstash -e "input{stdin{codec=>line}}output{stdout{codec=>rebydebug}}"
hello,qvbilam // 输入内容
{"host":"erhuadaangdeMBP","@version":"1","@timestamp":"2019-07-25T07:58:56.396Z","message":"hello,qvbilam"}

# 输入一行内容通过rebydebug输出
logstash -e "input{stdin{codec=>line}}output{stdout{codec=>rubydebug}}"
qvbilam // 输入内容
{
    "@timestamp" => 2019-07-25T08:01:49.184Z,
       "message" => "qvbilam",
      "@version" => "1",
          "host" => "erhuadaangdeMBP"
}

// 输入json通过rebydebug输出
logstash -e "input{stdin{codec=>json}}output{stdout{codec=>rubydebug}}"
{"angel":"qvbilam","name" : "gy","age" : 16} //输入内容
{
          "name" => "gy",
      "@version" => "1",
          "host" => "erhuadaangdeMBP",
    "@timestamp" => 2019-07-25T08:05:12.848Z,
           "age" => 16,
         "angel" => "qvbilam"
}

Multiline举例

  在很多的日志中都是以时间戳开头的行数据.例如下面这个Multiline的类型的日志.通过json的格式输出

[2019-07-25T16:05:04,515][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified

  首先创建一个匹配的配置文件.vim multilinToJson.conf当然是为了方便阅读以及后续服用.

input{
  stdin{
    codec => multiline{
    pattern => "^\[%{TIMESTAMP_ISO8601}\]"
    negate => true
    what => "previous"
    }
  }
}
output{
  stdout{
    codec => json
  }
}

  执行测试

注意:multiline格式的回车后需要再复制一遍内容才会输出结果.因为logstash并不知道你输入的行内容什么时候结束.知道匹配到下一行才会结束.

logstash -f multilinToJson.conf

  返回结果

{
    "@version":"1",
    "host":"erhuadaangdeMBP",
    "@timestamp":"2019-07-25T08:37:49.475Z",
    "message":"[2019-07-25T16:05:04,515][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified"
}