這是我第一次嘗試使用 logstash，如果問(wèn)題過(guò)于基礎(chǔ)請(qǐng)?jiān)?（；′д｀）ゞ

這是我想處理的日志的樣子

Processing File E:\CMR\Waybill\BOOKINGS1606.TXT   2:43:51
Starting MRSLoad 2017/11/14 2:43:52
MRSLoad done 2017/11/14 3:05:05
Processing File E:\CMR\Waybill\AIRBILL1606.TXT   3:05:05
Starting MRSLoad 2017/11/14 3:05:10
MRSLoad done 2017/11/14 4:02:16
Processing File E:\CMR\Waybill\ACTRATE1606.TXT   4:02:16
Starting MRSLoad 2017/11/14 4:02:16
MRSLoad done 2017/11/14 4:18:22
Processing File E:\CMR\Waybill\ALTHIST1606.TXT   4:18:22
Starting MRSLoad 2017/11/14 4:18:23
MRSLoad done 2017/11/14 4:18:28
Processing File E:\CMR\Waybill\BKGLIST1606.TXT   4:18:28
Starting MRSLoad 2017/11/14 4:18:28
MRSLoad done 2017/11/14 4:18:28
Processing File E:\CMR\Waybill\MISCAWB1606.TXT   4:18:28
Starting MRSLoad 2017/11/14 4:18:29
MRSLoad done 2017/11/14 4:24:45
Processing File E:\CMR\Waybill\PARTAWB1606.TXT   4:24:45
Starting MRSLoad 2017/11/14 4:24:45
MRSLoad done 2017/11/14 4:52:36
Processing File E:\CMR\Waybill\BKGREFNO1606.TXT   4:52:36
Starting MRSLoad 2017/11/14 4:52:36
MRSLoad done 2017/11/14 4:52:37

這是我 LogStash 的配置文件

input {
        file {
                path=>"D:\Applications\ELK\logstash-6.0.0\test\test.log"
                codec=> multiline {
                        pattern => "^\P"
                        negate => true
                        what => "previous"
                }
                start_position=>"beginning"
                ignore_older=>0
        }
}
filter {
        grok {
                match=> [ "message", "%{WINPATH:path}\  %{TIME:processingtime}\\r\\nStarting MRSLoad %{GREEDYDATA:StartingMRSLoad}\\r\\nMRSLoad done %{GREEDYDATA:MRSLoaddone}\\r" ]
        }
}
output {
        stdout {
                codec=>rubydebug
        }
}

其中 filter 中用的 grok 我是在 Grok Debugger 調(diào)試出來(lái)的

完全沒(méi)有問(wèn)題的樣子，可是用到配置文件里就出現(xiàn)了錯(cuò)誤，日志并不能被正確的解析了

嘗試查詢(xún)了"_grokparsefailure" 發(fā)現(xiàn)有人遇到過(guò)一樣的問(wèn)題，但是暫且也沒(méi)找到可以參考解決的辦法，我想可能是我有一些理解錯(cuò)誤？求大佬幫忙看一下