I use one logstash multiline codec to merge multiline to one event ,and use spilt to spilt the multiline. the multiine logstash conf it like this:
input{
file{
path => "/home/web_server/report.log"
sincedb_path => "/home/web_server/.sincedb"
start_position =>end
codec => multiline{
pattern => "^"
negate => false
what => "previous"
auto_flush_interval => 0.5
max_lines => 100
}
}
}
output{
http{
url => "http://127.0.0.1:8282/"
http_method => get
}
}
and spilt com is like this:
input{
http{
port => 8282
response_headers => {"Content-Type"=>"text/json"}
threads => 8
}
}
filter {
split {
field => "message"
terminator => "\n"
}
json {
source => "message"
remove_field => ["message", "path", "@version", "headers", "tags"]
}
}
output{
file {
path => "/home/web_server/result.log"
}
}
when i run to logstash use the up two conf, the result.log is much less than report.log. it seems the spilt filter only got one line form a batch event with multiline.
but when is remove the conf in spilt{} just us spilt like bellow
spilt {
}
the result is same as report .log.
spilt.filed default conf is "message" and terminator default conf is "\n". is there any different bettwen write defult conf or not write