尝试在logstash中为Elasticsearch创建多个索引。但是我的“如果传导”不会创建任何单一索引,如果没有传导则无法正常工作。
但是,如果我将输入作为文件使用,并且在logstash中使用而不使用filebeat,则按我的期望它可以正常工作。谁能帮我解决。
###filebeat.yml###
=============
filebeat.inputs:
- type: log
enabled: true
paths:
- /home/user/vinit/pache/*.log
fields:
log_type: apache-log
- type: log
enabled: true
paths:
- /home/user/vinit/boss/*.log
fields:
log_type: jboss-log
fields_under_root: true
###pipeline-conf.conf###
==================
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "^%{IP:CLIENT_IP} (?:-|%{USER:IDEN}) (?:-|%{USER:AUTH}) \[%{HTTPDATE:CREATED_ON}\] \"(?:%{WORD:REQUEST_METHOD} (?:/|%{NOTSPACE:REQUEST})(?: HTTP/%{NUMBER:HTTP_VERSION})?|-)\" %{NUMBER:RESPONSE_CODE} (?:-|%{WORD:BYTES}) (?:-|%{WORD:EXECUTION_TIME})"}
add_field => {
"LOG_TYPE" => "api-log"
}
overwrite => [ "message" ]
}
grok {
match => { "message" => "%{HTTPDATE:CREATED_ON}%{NOTSPACE}%{SPACE} (?:-|%{IP:CLIENT_IP})%{SPACE} %{NOTSPACE}(?:-|%{WORD:REQUEST_METHOD}%{SPACE}) (?:-|%{NOTSPACE:REQUEST})(?: HTTP/%{NUMBER:HTTP_VERSION})%{NOTSPACE}(?:-|%{GREEDYDATA:OTHER_INFO}) (?:-|%{NUMBER:RESPONSE_CODE}) (?:-|%{WORD:BYTES}) (?:-|%{WORD:EXECUTION_TIME})"}
add_field => {
"LOG_TYPE" => "web-log"
}
overwrite => [ "message" ]
}
grok {
match => { "message" => "%{TIME:CREATED_ON}%{SPACE}\[(?<THREAD>[^\]]+)?\] %{WORD:METHOD}%{SPACE}%{JAVACLASS:CLASS} - (?<MESSAGE_LOG>[^\r\n]+)((\r?\n)(?<extra>(.|\r?\n)+))?"}
add_field => {
"LOG_TYPE" => "jboss-log"
}
overwrite => [ "message" ]
}
}
output {
if [fields][log_type] == "apache-log"{
elasticsearch {
hosts => ["localhost:9200"]
manage_template => false
index => "server-logs-apache"
}
}
if [fields][log_type] == "jboss-log" {
elasticsearch {
hosts => ["localhost:9200"]
manage_template => false
index => "server-logs-jboss"
}
}
stdout { codec => rubydebug }
}
##Also Tried##
==============
output {
if "apache-log" in [fields][log_type] {
elasticsearch {
hosts => ["localhost:9200"]
manage_template => false
index => "server-logs-apache"
}
}
if "jboss-log" in [fields][log_type] {
elasticsearch {
hosts => ["localhost:9200"]
manage_template => false
index => "server-logs-jboss"
}
}
stdout { codec => rubydebug }
}
我期望结果作为索引:server-logs-apache,server-logs-jboss,但实际输出为空。
最佳答案
您要添加的字段是大写字母
add_field => { "LOG_TYPE" => "web-log" }
而Elasticsearch则将大小写不同的字段分开。您应该添加小写的字段-“log_type”
关于elasticsearch - 如何在logstash中基于传导创建多个索引,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/54166323/