1.假设一行日志内容如下：

[root@VM_0_92_centos opt]# cat error.log
-- ::,[ERROR ajp-nio--exec-](cn.com.al1.component.weixin.WeixinFilter:) filter获取用户访问出现异常 session=4289CF6DF375C0E39CFB5365B0BF3DBD.,url=/portal/cooperationOpen/cooperationOpenAction!continueSession.action,Referer=https://al.do2.com.cn/wxqyh/vp/modu
le/checkwork.html?agentCode=checkwork&corp_id=4w24589263c73e4999,userAgentMozilla/5.0 (Linux; Android 5.0.; PLK-AL10 Build/HONORPLK-AL10; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.132 MQQBrowser/6.2 TBS/ Mobile Safari/537.36 wxwork/2.7. MicroMessenger/7.0. NetType/WIFI Language/zh

2.logstash的配置

input{
file {
type => "java01"
path => "/mnt/data/logs/wxqyh_18089/log4j.log"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => true
what => "previous"
}
start_position => "beginning"
}
}

filter {
grok {
match => {
"message" => "^%{TIMESTAMP_ISO8601}\[%{WORD:level} %{GREEDYDATA:ajp}\]%{GREEDYDATA:data}"
}
match => {
"message" => "^%{TIMESTAMP_ISO8601}\[ %{WORD:level} %{GREEDYDATA:ajp}\]%{GREEDYDATA:data}"
}
remove_field => "message"
}
}
output {
if [type] == "java01" {
elasticsearch {
hosts => ["10.0.0.92:9200"]
index => "pattern5java-%{+YYY.MM.dd}"
}
}
}

3.结果

4.重要的贪婪匹配用法

match => { "message" => "%{GREEDYDATA:Timestamp}\|%{GREEDYDATA:ThreadName}\|%{WORD:LogLevel}\|%{GREEDYDATA:TextInformation}\|%{GREEDYDATA:ClassName}" }
}

5.参考：

https://mp.weixin.qq.com/s?__biz=MzI0MDYyMzgxNw==&mid=2247483698&idx=1&sn=8fc0c3a3d21c77dd7df9fd4b6f46e18b&chksm=e9194894de6ec182ad1a35bfd028b1b90cfae38cb86ce56f95bbd9864625a38e2ed65b55659a&mpshare=1&scene=1&srcid=0706bZLJkxrgavx6VwC9H5Zq&pass_ticket=Prw1Pqtprx7ksjVLwTRi%2F5V62NnxZ%2FLEA60%2B%2BaPIPh22jt1QLxqYZtMydBQ%2FGXqt#rd