Logstash 无法创建单独的索引
Logstash can't create separate indexes
我有两个带有标签和字段的 filebeat 输入。
在我的 pipeline.conf 中,我使用他们的标签过滤日志。
但是当创建索引时,logstash 将索引名称作为 %{[fields][log_type]}-2020-10-07.
我该如何解决这个问题?我可以创建两个单独的索引吗?
这是我的文件。
filebeat.yml
- type: log
enabled: true
paths:
- D:\Git\gbase.API\Logs\*.log
tags: ["gbaseapi"]
fields: {log_type: gbase}
- type: log
enabled: true
paths:
- D:\Git\finance.api\FinanceAPI\logs\*.log
tags: ["financeapi"]
fields: {log_type: finance}
multiline.pattern: '^[[:space:]]'
multiline.negate: false
multiline.match: after
我的pipeline.conf
input {
beats {
type=>"mytest"
port => 5044
}
}
filter{
if "gbase" in [tags]
{
if [level] in [ "Error", "Fatal" ]
{
grok { match=> ["message","%{DATESTAMP:timestamp} \[%{WORD:processId}\] %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{IPV4:clientIp} %{URI:requestUrl} %{USER:method} %{GREEDYDATA:message}"] }
}
else
{
grok { match=> ["message","%{DATESTAMP:timestamp} \[%{WORD:processId}\] %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{IPV4:clientIp} %{GREEDYDATA:message}" ] }
}
mutate { gsub => ["message", "\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{4} ",""]}
mutate { gsub =`enter code here`> ["message", "%{level}",""]}
mutate { gsub => ["message", "%{logger}",""]}
mutate { gsub => ["message", "%{clientIp}",""]}
}
if "finance" in [tags]
{
if [level] in [ "Error", "Fatal" ]
{
grok { match=> ["message","%{DATESTAMP:time} \[%{WORD:processId}\] %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{IPV4:clientIp} %{URI:requestUrl} %{USER:method} %{GREEDYDATA:message}"]}
}
else
{
grok { match=> ["message","%{DATESTAMP:time} \[%{WORD:processId}\] %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{IPV4:clientIp} %{GREEDYDATA:message}" ]}
}
mutate { gsub => ["message", "\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{4} ",""]}
mutate { gsub => ["message", "%{level}",""]}
mutate { gsub => ["message", "%{logger}",""]}
mutate { gsub => ["message", "%{clientIp}",""]}
}
date {
match => [ "time" , "dd/MMM/yyyy:HH:mm:ss Z" ]
target=> "@time"
}
}
output {
elasticsearch
{
hosts => ["http://localhost:9200"]
index => "%{[fields][log_type]}-%{+YYYY.MM.dd}"
user => "something"
password => "something"
}
stdout { codec => rubydebug }
}
您应该像这样指定 fields,而不是:
- type: log
enabled: true
paths:
- D:\Git\gbase.API\Logs\*.log
tags: ["gbaseapi"]
fields:
log_type: gbase <--- change this
我有两个带有标签和字段的 filebeat 输入。
在我的 pipeline.conf 中,我使用他们的标签过滤日志。
但是当创建索引时,logstash 将索引名称作为 %{[fields][log_type]}-2020-10-07.
我该如何解决这个问题?我可以创建两个单独的索引吗?
这是我的文件。
filebeat.yml
- type: log
enabled: true
paths:
- D:\Git\gbase.API\Logs\*.log
tags: ["gbaseapi"]
fields: {log_type: gbase}
- type: log
enabled: true
paths:
- D:\Git\finance.api\FinanceAPI\logs\*.log
tags: ["financeapi"]
fields: {log_type: finance}
multiline.pattern: '^[[:space:]]'
multiline.negate: false
multiline.match: after
我的pipeline.conf
input {
beats {
type=>"mytest"
port => 5044
}
}
filter{
if "gbase" in [tags]
{
if [level] in [ "Error", "Fatal" ]
{
grok { match=> ["message","%{DATESTAMP:timestamp} \[%{WORD:processId}\] %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{IPV4:clientIp} %{URI:requestUrl} %{USER:method} %{GREEDYDATA:message}"] }
}
else
{
grok { match=> ["message","%{DATESTAMP:timestamp} \[%{WORD:processId}\] %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{IPV4:clientIp} %{GREEDYDATA:message}" ] }
}
mutate { gsub => ["message", "\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{4} ",""]}
mutate { gsub =`enter code here`> ["message", "%{level}",""]}
mutate { gsub => ["message", "%{logger}",""]}
mutate { gsub => ["message", "%{clientIp}",""]}
}
if "finance" in [tags]
{
if [level] in [ "Error", "Fatal" ]
{
grok { match=> ["message","%{DATESTAMP:time} \[%{WORD:processId}\] %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{IPV4:clientIp} %{URI:requestUrl} %{USER:method} %{GREEDYDATA:message}"]}
}
else
{
grok { match=> ["message","%{DATESTAMP:time} \[%{WORD:processId}\] %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{IPV4:clientIp} %{GREEDYDATA:message}" ]}
}
mutate { gsub => ["message", "\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{4} ",""]}
mutate { gsub => ["message", "%{level}",""]}
mutate { gsub => ["message", "%{logger}",""]}
mutate { gsub => ["message", "%{clientIp}",""]}
}
date {
match => [ "time" , "dd/MMM/yyyy:HH:mm:ss Z" ]
target=> "@time"
}
}
output {
elasticsearch
{
hosts => ["http://localhost:9200"]
index => "%{[fields][log_type]}-%{+YYYY.MM.dd}"
user => "something"
password => "something"
}
stdout { codec => rubydebug }
}
您应该像这样指定 fields,而不是:
- type: log
enabled: true
paths:
- D:\Git\gbase.API\Logs\*.log
tags: ["gbaseapi"]
fields:
log_type: gbase <--- change this