- elasticsearch/
elasticsearch 麋鹿堆叠-Elasticsearch索引创建(logstash)
elasticsearch 麋鹿堆叠-Elasticsearch索引创建(logstash)
我正在用麋鹿来分析我们的日志文件。根据可用的文档,我成功地在我的电脑中设置了堆栈。现在我面临着创建弹性搜索索引的问题。以前我使用filebeat->logstash->elasticsearch->kibana组合,并使用下面的logstash.conf文件将数据发送到elasticsearch
input {
beats {
port => 5044
type => "log"
}
}
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
"filebeat-*"
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
input {
file
{
path => "C:\logs\application.log"
start_position => "beginning"
codec =>
multiline {
charset => "ISO-8859-1"
pattern => "^%{TIMESTAMP_ISO8601}"
max_lines => 1000
negate => true
what => "previous"
}
}
}
filter {
mutate {
gsub => [ "message", "\r", "" ]
}
grok {
patterns_dir => "./patterns"
match => {"message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL1:loglevel} %{THREAD:thread} %{IP5:remoteipaddress} %{JAVA:logclass} %{GREEDYDATA:details}"}
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
remove_field => [ "timestamp" ]
}
}
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
file {
path => "C:\logs\output.txt"
}
}
http://localhost:9200/_plugin/head/
%{[@metadata][beat]}-
San某些logstash插件使用元数据来传输不希望存储在文档中的字段。在第一个示例中,beats输入设置某些元数据,稍后在elasticsearch输出中使用这些元数据来设置索引和类型。由于文件输入没有设置这些元数据字段,logstash将输出变量名而不是空字符串,因此它将索引设置为“%{[@metadata][beat]}-2016.04.05”,日期是已知的,但元数据字段beat是未知的 如果您只是将elasticsearch输出保留为默认值,它应该可以正常工作:
elasticsearch{
hosts=>“本地主机:9200”
}
如果将manage_模板保留为false,它也不会应用
logstash-Since you know what the index should be called, just put it in the `elasticsearch` output:
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "filebeat-%{+YYYY.MM.dd}"
document_type => "whatever_type_filebeat_put_in"
}
}