我正在嘗試設定 Logstash 來提供 Elasticsearch。當然,我創建了以下似乎運行良好的conf檔案:
input {
beats {
port => 5044
}
file {
path => "C:/f1/f2/Logs/f3/LocalHost#base#iway_2022-03-28T10_45_15.log"
}
}
filter {
grok {
match => {
"message" => [
".%{TIMESTAMP_ISO8601:timeStamp}. %{LOGLEVEL:loglevel} .(W.)%{DATA:thread}.%{INT:thread_pool}. %{GREEDYDATA:msgbody}",
".%{TIMESTAMP_ISO8601:timeStamp}. %{LOGLEVEL:loglevel} .%{DATA:thread}. %{GREEDYDATA:msgbody}"
]
}
}
}
output {
elasticsearch {
hosts => ["https://localhost:9200"]
index => "iway_logs"
user => "elastic"
password => "something"
cacert => "C:\f1\f2\logstash-8.1.3\config\cert\elasticsearch_http_ca.crt"
}
}
我一直在嘗試添加兩個新欄位,但到目前為止沒有成功。以下是經過多次修改后的conf檔案的當前版本。
input {
beats {
port => 5044
}
file {
path => "C:/f1/f2/Logs/f3/LocalHost#base#iway_2022-03-28T10_45_15.log"
}
}
filter {
grok {
match => {
"message" => [
".%{TIMESTAMP_ISO8601:timeStamp}. %{LOGLEVEL:loglevel} .(W.)%{DATA:thread}.%{INT:thread_pool}. %{GREEDYDATA:msgbody}",
".%{TIMESTAMP_ISO8601:timeStamp}. %{LOGLEVEL:loglevel} .%{DATA:thread}. %{GREEDYDATA:msgbody}"
]
}
}
grok {
match => {
"path" => "%{GREEDYDATA}/%{GREEDYDATA:filename}\.log"
}
}
mutate {
split => { "filename" => "#" }
add_field => { "serverName" => "%{[filename][0]}" }
add_field => { "configName" => "%{[filename][1]}" }
}
}
output {
elasticsearch {
hosts => ["https://localhost:9200"]
index => "iway_logs"
user => "elastic"
password => "something"
cacert => "C:\f1\f2\logstash-8.1.3\config\cert\elasticsearch_http_ca.crt"
}
}
新欄位(即 serverName 和 configName)的結果總是報告原始運算式而不是評估輸出。有人可以幫忙嗎?TIA。
uj5u.com熱心網友回復:
您可能應該為此利用dissect過濾器,如下所示:
filter {
if [path] {
dissect {
mapping => {
"path" => "C:/f1/f2/Logs/f3/%{serverName}#%{configName}#%{?ignore}.log"
}
}
}
}
如果您啟用了 ECS 兼容性,則該path欄位稱為[log][file][path],因此您的配置應該是這個:
filter {
if [log][file][path] {
dissect {
mapping => {
"[log][file][path]" => "C:/f1/f2/Logs/f3/%{serverName}#%{configName}#%{?ignore}.log"
}
}
}
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/qukuanlian/471148.html
標籤:弹性搜索 日志存储 logstash-grok logstash-配置
上一篇:索引模式在kibana中不可視化