logstash输出多个索引样式

时间:2020-05-21
本文章向大家介绍logstash输出多个索引样式,主要包括logstash输出多个索引样式使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。

filebeat配置

#表示的是会把 service作为fields的二级字段
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/aa.log
  fields: 
    service: aa

- type: log
  enabled: true
  paths:
    - /var/log/messages*
  fields:
    service: message

fields_under_root:如果该选项设置为true,则新增fields成为顶级目录,而不是将其放在fields目录下。自定义的field会覆盖filebeat默认的field。例如添加如下配置:

#表示的是会把 service作为fields顶级字段
fields:
  service: message
fields_under_root: true

logstash配置

#表示的是会把 service作为fields的二级字段logstash配置
output {
  stdout {
    codec => json
  }
  elasticsearch {
    hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"]
    ssl => true
    cacert => "/home/logstash/logstash-7.5.1/config/certs/ca.crt"
    index => "logstash-%{[fields][service]}-%{+YYYY.MM.dd}"
    user => "logstash_writer"
    password => "logstash"
  }
}
#表示的是会把 service作为fields的顶级字段logstash配置
output {
  stdout {
    codec => json
  }
  elasticsearch {
    hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"]
    ssl => true
    cacert => "/home/logstash/logstash-7.5.1/config/certs/ca.crt"
    index => "logstash-%{[service]}-%{+YYYY.MM.dd}"
    user => "logstash_writer"
    password => "logstash"
  }
}

也可以这样写

if [fields][service] == 'aa' {
    elasticsearch {
      hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"]
      index => "logstash-aa-%{+YYYY.MM.dd}" 
      user => "logstash_writer" 
      password => "logstash" 
    } 
} 

if [fields][service] == "messages" { 
    elasticsearch { 
      hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"]
      index => "logstash-messages-%{+YYYY.MM.dd}" 
      user => "logstash_writer" 
      password => "logstash" 
    } 
}

原文地址:https://www.cnblogs.com/fat-girl-spring/p/12931587.html

随机文章
本站知识点必读
最近更新