- elasticsearch/
elasticsearch 日志存储,与多个索引关联的多个grok
elasticsearch 日志存储,与多个索引关联的多个grok
我想问一下这个场景 我有两个grok模式要匹配 如果第一个匹配,我想将其与第一个索引输出相关联,例如“logstash business error” 如果第二个grok匹配,我想将其链接到第二个索引输出,例如“logstash system error” 我们可以用logstash.conf吗 下面是我目前的一个,它只有一个索引
input {
beats {
port => 5044
}
}
filter {
grok {
match => {
"message" => "%{TIMESTAMP_ISO8601:timestamp} *%{LOGLEVEL:messagetype} (?:\[%{GREEDYDATA:jmsListener}\]) %{WORD:class } - %{WORD:Task} - %{QS:errorType} %{NUMBER:clientlayout} %{DATA:roll
Up} %{DATA:docName} %{NUMBER:errorNo} %{GREEDYDATA:message}"
}
}
if [messagetype]!="ERROR"{
drop {}
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "logstash-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
stdout { codec => rubydebug }
}
谢谢,请看下面的技巧: 将新字段添加为
mutate {
add_field => {
"index_prefix" => "logstash"
}
}
if [messagetype]!="ERROR" {
mutate {
replace => {
"index_prefix" => "whateveryouwant"
}
}
}
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{index_prefix}-%{+xxxx.ww}"
document_type => "%{[@metadata][type]}"
}
stdout { codec => rubydebug }
}
input {
beats {
port => 5044
}
}
filter {
grok {
match => {
"message" => "%{TIMESTAMP_ISO8601:timestamp} *%{LOGLEVEL:messagetype} (?:\[%{GREEDYDATA:jmsListener}\]) %{WORD:class } - %{WORD:Task} - %{QS:errorType} %{NUMBER:clientlayout} %{DATA:roll
Up} %{DATA:docName} %{NUMBER:errorNo} %{GREEDYDATA:message}"
}
}
if [messagetype]!="ERROR"{
drop {}
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
mutate {
add_field => {
"index_prefix" => "logstash"
}
}
if [messagetype]!="ERROR" {
mutate {
replace => {
"index_prefix" => "whateveryouwant"
}
}
}
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{index_prefix}-%{+xxxx.ww}"
document_type => "%{[@metadata][type]}"
}
stdout { codec => rubydebug }
}
=~