- elasticsearch/
elasticsearch 使用元数据字段创建带有日志存储的条件输出时出现问题
elasticsearch 使用元数据字段创建带有日志存储的条件输出时出现问题
我想将winlogbeat数据发送到主索引之外的单独索引。我已将winlogbeat配置为将其数据发送到我的logstash服务器,并且我可以确认我已收到数据 这就是我目前所做的:
output {
if [@metadata][beat] == "winlogbeat" {
elasticsearch {
hosts => ["10.229.1.12:9200", "10.229.1.13:9200"]
index => "%{[@metadata][beat]}-%{+YYYY-MM-dd}"
user => logstash_internal
password => password
stdout { codec => rubydebug }
}
else {
elasticsearch {
hosts => ["10.229.1.12:9200", "10.229.1.13:9200"]
index => "logstash-%{stuff}-%{+YYYY-MM-dd}"
user => logstash_internal
password => password
}
}
}
}
我做错了什么?您的配置中的括号有问题。要修复您的代码,请参阅以下内容:
output {
if [@metadata][beat] == "winlogbeat" {
elasticsearch {
hosts => ["10.229.1.12:9200", "10.229.1.13:9200"]
index => "%{[@metadata][beat]}-%{+YYYY-MM-dd}"
user => logstash_internal
password => password
}
stdout { codec => rubydebug }
} else {
elasticsearch {
hosts => ["10.229.1.12:9200", "10.229.1.13:9200"]
index => "logstash-%{stuff}-%{+YYYY-MM-dd}"
user => logstash_internal
password => password
}
}
}