elasticsearch,Elastic Stack,Logstash Grok,Logstash Logback Encoder" />
elasticsearch,elastic-stack,logstash-grok,logstash-logback-encoder,Java,Java Logstash:有没有一种基于字段名调用grok模板的方法
我使用ELK和logstash logback编码器将日志推送到logstash。现在我想使用相同的堆栈,即ELK和logstash logback编码器进行分析 流量: Logger.info();logstash logback编码器将数据推送到logstash,logstash将数据推送到ES 我的logstash.conf如下:Java Logstash:有没有一种基于字段名调用grok模板的方法,java,
elasticsearch,elastic-stack,logstash-grok,logstash-logback-encoder,Java,
input {
tcp {
port => 5044
codec => multiline {
what => "previous"
}
}
}
filter{
grok {
match => ["message", "(?<index_name>(?<=IndexName: ).*?(?=\s))"]
match => ["message", "(?<doc_id>(?<=DocId: ).*?(?=\s))"]
break_on_match => false
remove_tag => ["_grokparsefailure","multiline"]
}
mutate {
gsub => ['message', "\t", " "]
gsub => ['message',"\e\[(\d*;)*(\d*)m"," "]
}
}
output {
if [index_name] == "Customer" {
elasticsearch {
hosts => ["localhost:9200"]
index => "analytics-customers"
document_id => "%{doc_id}"
}
}else {
elasticsearch {
hosts => ["localhost:9200"]
}
}
stdout { codec => rubydebug }
}
输入{
tcp{
端口=>5044
编解码器=>多行{
什么=>“以前的”
}
}
}
滤器{
格罗克{
match=>[“message”,“(?(?如果您能够在一行中获取日志,这将是最好的方法。因为您可以将编解码器更改为“json_行”,并且所有内容都会自动解析
否则,您可以使用IF(已描述)
例如:
if [subsystem] == "http" {
mutate{ ... }
grok{ ... }
}
grok {
match => ["message", "(?<index_name>(?<=IndexName: ).*?(?=\s))"]
if(index_name=="User"){
//Invoke User template which will fetch/create fields from passed json.
}
if(index_name=="Order"){
//Invoke Order template which will fetch/create fields from passed json.
}
}
if [subsystem] == "http" {
mutate{ ... }
grok{ ... }
}