#輸入 input { file { path => ["文件路徑"] #自定義類型 type => "自定義" start_position => "beginning" } } #過濾器 filter{ #去除換行符 mutate{ gsub => [ "message", "\r", "" ] } #逗號分割 mutate { split => ["message",","] } #分割后,字段命名與賦值 mutate{ add_field => { "id" => "%{[message][0]}" "cc" => "%{[message][5]}" "bcc" => "%{[message][6]}" "from_user" => "%{[message][7]}" "size" => "%{[message][8]}" "attachments" => "%{[message][9]}" "content" => "%{[message][10]}" } } #字段里的日期識別,以及時區轉換,生成date date { match => [ "mydate", "MM/dd/yyyy HH:mm:ss" ] target => "date" locale => "en" timezone => "+00:00" input { file { path => ["文件路徑"] #自定義類型 type => "自定義" start_position => "beginning" } #過濾器 filter{ #去除換行符 mutate{ gsub => [ "message", "\r", "" ] #逗號分割 split => ["message",","] } #分割后,字段命名與賦值 mutate{ "id" => "%{[message][0]}" "user" => "%{[message][2]}" "pc" => "%{[message][3]}" "cc" => "%{[message][5]}" "bcc" => "%{[message][6]}" "from_user" => "%{[message][7]}" "attachments" => "%{[message][9]}" "content" => "%{[message][10]}" } } #字段里的日期識別,以及時區轉換,生成date date { match => [ "mydate", "MM/dd/yyyy HH:mm:ss" ] target => "date" timezone => "+00:00" } #刪除無用字段 mutate { remove_field => "message" remove_field => "mydate" remove_field => "@version" remove_field => "host" remove_field => "path" } #將兩個字段轉換為整型 mutate{ convert => { "size" => "integer" } convert => { "attachments" => "integer" } } } #輸出,輸出目標為es output { #stdout { codec => rubydebug } elasticsearch { #目標主機 host => ["目標主機1","目標主機2"] #協議類型 protocol => "http" #索引名 index =>"自定義" #type document_type=>"自定義" } }