Я работаю с ELK 6.7.0 на докере с официальными изображениями. Это мой файл conf:
input {
file {
path => "/usr/share/logstash/logs/*.xml"
type => "xml"
sincedb_path => "/dev/null"
codec => multiline {
pattern => "<root>"
negate => "true"
what => "previous"
}
}
}
filter {
xml {
source => "message"
store_xml => false
xpath => [
"/root/ChainId/text()", "ChainId",
"/root/SubChainId/text()", "SubChainId",
"/root/StoreId/text()", "StoreId",
"/root/BikoretNo/text()", "BikoretNo",
"/root/DllVerNo/text()", "DllVerNo"
]
}
}
output {
elasticsearch {
hosts => "elasticsearch:9200"
index => "xml_index"
}
stdout {
codec => rubydebug
}
}
Мой XML-файл:
<?xml version="1.0" encoding="UTF-8"?>
<root>
<ChainId>7290027600007</ChainId>
<SubChainId>001</SubChainId>
<StoreId>001</StoreId>
<BikoretNo>9</BikoretNo>
<DllVerNo>8.0.1.3</DllVerNo>
</root>
Я пытаюсь проанализировать входящие XML-файлы, но при создании нового файла в папке пути logstash, анализируя его следующим образом:
logstash_1 | {
logstash_1 | "path" => "/usr/share/logstash/logs/example10.xml",
logstash_1 | "@version" => "1",
logstash_1 | "message" => "<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
logstash_1 | "type" => "xml",
logstash_1 | "@timestamp" => 2019-04-02T04:42:59.248Z,
logstash_1 | "host" => "a4f1bf64a3d5"
logstash_1 | }
Однако, когда я перезагружаю свой файл conf, Logstash неожиданно успешно анализирует мой XML:
logstash_1 | {
logstash_1 | "StoreId" => [
logstash_1 | [0] "001"
logstash_1 | ],
logstash_1 | "message" => "<root>\n <ChainId>7290027600007</ChainId>\n <SubChainId>001</SubChainId>\n <StoreId>001</StoreId>\n <BikoretNo>9</BikoretNo>\n <DllVerNo>8.0.1.3</DllVerNo>",
logstash_1 | "DllVerNo" => [
logstash_1 | [0] "8.0.1.3"
logstash_1 | ],
logstash_1 | "type" => "xml",
logstash_1 | "SubChainId" => [
logstash_1 | [0] "001"
logstash_1 | ],
logstash_1 | "BikoretNo" => [
logstash_1 | [0] "9"
logstash_1 | ],
logstash_1 | "path" => "/usr/share/logstash/logs/example10.xml",
logstash_1 | "@version" => "1",
logstash_1 | "ChainId" => [
logstash_1 | [0] "7290027600007"
logstash_1 | ],
logstash_1 | "tags" => [
logstash_1 | [0] "multiline"
logstash_1 | ],
logstash_1 | "@timestamp" => 2019-04-02T04:43:18.439Z,
logstash_1 | "host" => "a4f1bf64a3d5"
logstash_1 | }
logstash_1 | {
logstash_1 | "StoreId" => [
logstash_1 | [0] "001"
logstash_1 | ],
logstash_1 | "message" => "<root>\n <ChainId>7290027600007</ChainId>\n <SubChainId>001</SubChainId>\n <StoreId>001</StoreId>\n <BikoretNo>9</BikoretNo>\n <DllVerNo>8.0.1.3</DllVerNo>",
logstash_1 | "DllVerNo" => [
logstash_1 | [0] "8.0.1.3"
logstash_1 | ],
logstash_1 | "type" => "xml",
logstash_1 | "SubChainId" => [
logstash_1 | [0] "001"
logstash_1 | ],
logstash_1 | "BikoretNo" => [
logstash_1 | [0] "9"
logstash_1 | ],
logstash_1 | "path" => "/usr/share/logstash/logs/example11.xml",
logstash_1 | "@version" => "1",
logstash_1 | "ChainId" => [
logstash_1 | [0] "7290027600007"
logstash_1 | ],
logstash_1 | "tags" => [
logstash_1 | [0] "multiline"
logstash_1 | ],
logstash_1 | "@timestamp" => 2019-04-02T04:43:18.440Z,
logstash_1 | "host" => "a4f1bf64a3d5"
logstash_1 | }
Поле сообщения в обоих событиях - это разные части файла, и кажется, что Logstash разделяет файл до и после шаблона. Тем не менее, не ясно, почему это происходит только при перезагрузке файла conf.