ES
cts618
大数据高级工程师
展开
-
logstash采集多目录文件日志
file { # 从文件中来 path => "E:/software/logstash-1.5.4/logstash-1.5.4/data/*" #单一文件 #监听文件的多个路径 path => ["E:/software/logstash-1.5.4/logstash-1.5.4/data/*.log","F:/*.log"] #排除不想监听的文件 exclude => "1.log" .原创 2022-01-24 09:23:50 · 1163 阅读 · 0 评论 -
logstash之input
input { file { type => "jinyiweiapi" # 稍后说作用 path => "/home/dockermount/jinyiwei/logs/catalina.out" # 日志路径 codec => multiline { pattern => "^\[" # 正则表达式,匹配开头为 "[" 的为一条日志的开始 negate => true.原创 2022-01-17 10:45:28 · 256 阅读 · 0 评论 -
logstash条件表达式
input { file{ path => "/home/es/pass_audit/pass_audit2022-1-5.log" start_position => "beginning" sincedb_path => "/dev/null" #从头读 } }filter { if "db_usr" in [message]{ grok { match => { "message" => .原创 2022-01-17 09:33:16 · 182 阅读 · 0 评论 -
logstash增加和替换时间
mutate { gsub => [ "Date", "Z$", "" ] } date { match => [ "date", ISO8601 ] target => "[@metadata][date]" } ruby { code => ' t = Time.at(event.get("[@metadata][date]").to_i) d = DateTime.parse(t.to_s) event.set(.原创 2022-01-13 15:33:41 · 619 阅读 · 0 评论 -
logstash时间转换
kibana使用日志时间进行排序 - 旺仔小码头 - 博客园原创 2022-01-13 09:15:53 · 684 阅读 · 0 评论 -
logstash.conf
filter { grok { match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" } add_field => [ "received_at", "%{@tim...原创 2022-01-07 09:30:52 · 234 阅读 · 0 评论