需求:日志文件是json格式的,不同類型的日志的json字段不同,根據日志類型來分到不同的文件中。
不同的日志類型:
{"logType":"type1","userId":"","time":"","expReportnum":"","dealnum":""}
{"logType":"type2","userId":"","userName":"","time":"","expReportnum":""}
...
logType字段指定了日志類型
logstash的配置:
# 指定輸入數據源為beats 並且開發9011端口接受數據
input {
beats {
host => "0.0.0.0"
port => 9023
# 以json格式解析日志,方便下面配置取到 logType 字段
codec => json
}
}
filter{
mutate{
remove_field => ["host"]
remove_field => ["agent"]
remove_field => ["ecs"]
remove_field => ["tags"]
remove_field => ["fields"]
remove_field => ["@version"]
remove_field => ["input"]
remove_field => ["log"]
remove_field => ["cloud"]
remove_field => ["uuid"]
lowercase => ["logType"]
}
# 如果 json 中沒有 logType 字段,添加一個 logType 字段,並設置值為 other
if ![logType] {
mutate {
add_field => {"logType" => "other"}
}
}
# 指定數據輸出源為elasticsearch 並且指定index名稱
output {
elasticsearch{
hosts=>["172.16.131.131:9200"]
index=>"index1"
}
# 通過 %{logType} 可以引用 logType 字段的值
file {
path => "/home/log/logfile-%{logType}-%{+YYYY}-%{+MM}-%{+dd}.log"
}
stdout { codec => rubydebug }
}