Filebeat 配置为使用来自 kafka 的输入并输出到文件
关闭多行设置时,输出将发布到文件中。 但是当kafka输入配置了mutiline时,文件中没有输出(甚至没有创建文件)
这里是相关的filebeat配置
输入配置
filebeat.inputs:
- type: kafka
hosts:
- <ip>:9092
topics:
- "my-multiline-log"
group_id: "kafka-consumer-filebeat"
parsers:
- multiline:
# type: pattern
pattern: '^'
negate: true
match: after
输出配置:
output.file:
path: "/tmp/filebeat"
filename: filebeat
# codec.format:
# string: '%{[message]}'
Filebeat相关日志
2021-12-16T11:02:34.551Z INFO [input.kafka] compat/compat.go:111 Input kafka starting {"id": "19A7FFEEC9EDFC04"}
2021-12-16T11:02:34.551Z INFO [input.kafka.kafka input] kafka/input.go:129 Starting Kafka input {"id": "19A7FFEEC9EDFC04", "hosts": ["<ip>:9092"]}
2021-12-16T11:02:38.158Z DEBUG [reader_multiline] multiline/pattern.go:142 Multiline event flushed because timeout reached.
2021-12-16T11:02:44.767Z DEBUG [reader_multiline] multiline/pattern.go:142 Multiline event flushed because timeout reached.
2021-12-16T11:02:51.481Z DEBUG [reader_multiline] multiline/pattern.go:142 Multiline event flushed because timeout reached.
2021-12-16T11:02:58.225Z DEBUG [reader_multiline] multiline/pattern.go:142 Multiline event flushed because timeout reached.
2021-12-16T11:03:04.555Z DEBUG cgroup/util.go:276 PID 1 contains a cgroups V2 path (0::/) but no V2 mountpoint was found.
This may be because metricbeat is running inside a container on a hybrid system.
To monitor cgroups V2 processess in this way, mount the unified (V2) hierarchy inside
the container as /sys/fs/cgroup/unified and start metricbeat with --system.hostfs.
在日志中重复获得相同的四行
reader_multiline编辑:7.16版本中添加了对kafka多行解析器的支持
我认为这个配置是不必要的。模式:
pattern: '^' - multiline:
type: pattern
pattern: '^'
negate: true
match: after
您可以参考这个 goground 来玩模式和日志行,它会显示模式匹配的行:https://go.dev/play/p/LT3wWiFBdhK这是一个filebeat 官方doc
中提到的游乐场的调整版本我认为,对于按新行分割,您甚至不需要通过
multiline