logstash 清洗cdn日志的开发文件 配置

最新推荐文章于 2022-06-12 23:56:28 发布
最新推荐文章于 2022-06-12 23:56:28 发布
阅读量168 收藏 1
点赞数
文章标签: 运维 操作系统 json
原文链接:https://my.oschina.net/xiaohelong/blog/895864
版权

2019独角兽企业重金招聘Python工程师标准>>> hot3.png

  1. 本配置主要是在针对视频点播网站做日志分析清洗的时候的开发配置,主要有三个方面可以参考配置,正则表达式以及输出时的模版
  2. 当数据量很大时,正则表达式的好坏决定了,清洗的效率也是导致效率低下最容易的节点。
  3. 发出此开发的配置,一是方便自己记录,二是方便有需求的同志们。

针对版本1.4.2

运行 logstash -f D:\logstash-1.4.2\config\shipper.config

以下是配置文件shipper.config,正则表达式,以及输出template

input {
#node part
#      file{
#	       type=>"dbagent_access"
#	       path=>"/mnt/develop/elk/logs/张小寒/access.log"
#	       start_position=>"beginning"
#      }
      file{
	       type=>"dbagent_error"
	       path=>"/mnt/develop/elk/logs/张小寒/error.log"
	       start_position=>"beginning"
       }
}

filter {
       if[type]=="cdn"
	{
               #this is a flash player error
		grok{
			break_on_match=>true
			#condition 1
		        patterns_dir=>["/mnt/develop/elk/app/logstash-1.4.2/patterns"]
			match=>["message","%{CDN_PATTERN_HTTP_UUID}"]
			match=>["message","%{CDN_PATTERN_HTTP}"]
			match=>["message","%{CDN_PATTERN_MOVIEINFO_HTTP}"]
			match=>["message","%{CDN_PATTERN_MOVIEINFO}"]
			match=>["message","%{CDN_PATTERN_PCVCR_HTTP}"]
			match=>["message","%{CDN_PATTERN_PCVCR}"]
			match=>["message","%{CDN_PATTERN_VCR_HTTP}"]
			match=>["message","%{CDN_PATTERN_VCR}"]
			match=>["message","%{CDN_PATTERN_prvcr_HTTP}"]
			match=>["message","%{CDN_PATTERN_prvcr}"]
			add_tag=>["%{[type]}","grokked","%{[etype]}"]
		}
	     	if "_grokparsefailure" in [tags]
       		{
			drop{}
       		}


                
		if "unknown"==[chost] or ![chost]
                {#because when client ip is 'unknown', we do not need this value
                      date {
			   #use timezone is to avoid the value subtract timezone,if +8 zone,hours will be -8,in deploy situation ,please check the hour value is correct, if not try remove timezone
  			    timezone=>"Etc/UTC"
			    match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		            target=>"timestamp"
                            remove_field=>["chost"]
	              }
		}else{
                   date {
			   #use timezone is to avoid the value subtract timezone,if +8 zone,hours will be -8,in deploy situation ,please check the hour value is correct, if not try remove timezone
  			    timezone=>"Etc/UTC"
			    match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		            target=>"timestamp"
	              }
		}
               if [chost]
               {
		geoip {
		   source => "chost"
	           target=>"cgeo"
		   remove_field => ['[cgeo][ip]','[cgeo][postal_code]','[cgeo][dma_code]','[cgeo][area_code]','[cgeo][country_code2]','[cgeo][country_code3]','[cgeo][continent_code]','[cgeo][region_name]','[cgeo][city_name]','[cgeo][latitude]','[cgeo][longitude]','[cgeo][timezone]','[cgeo][location]']
		#database=>["path"]
                  }
                }
		#ruby{
                # in  linux, if hostname is no configured in hosts file, logstash get 0.0.0.0 ,so we add this code to get hostname on linux platform
                #     code=>"
                #              IO.popen('hostname') { |io| while (line = io.gets) do event['host']=line end }
                #           "
                #}
        	mutate{
	              remove_field=>["path","@version","@timestamp","type","etype"]
           	      convert => [ "status", "integer" ]
                 }

        }else if [type]=="nginx_access"
	{
		grok{
			 break_on_match=>true
	                 #condition 1
		         match=>["message","%{NGINX_ACCESS}"]
			 patterns_dir=>["/mnt/develop/elk/app/logstash-1.4.2/patterns"]
			 add_tag=>["%{[type]}","grokked","access"]
		}
#		if "_grokparsefailure" in [tags]
#	        {
#        	     drop{}
#        	}
                geoip {
	                  source => "chost"
	                  target=>"cgeo"
	            	  remove_field => ['[cgeo][ip]','[cgeo][postal_code]','[cgeo][dma_code]','[cgeo][area_code]','[cgeo][country_code2]','[cgeo][country_code3]','[cgeo][continent_code]','[cgeo][region_name]','[cgeo][city_name]','[cgeo][latitude]','[cgeo][longitude]','[cgeo][timezone]','[cgeo][location]']
	                  #database=>["path"]
	        }
                #ruby{
		  # in  linux, if hostname is no configured in hosts file, logstash get 0.0.0.0 ,so we add this code to get hostname on linux platform
                 #    code=>"
		#	      IO.popen('hostname') { |io| while (line = io.gets) do event['host']=line end }
                 #          "
		#}
		mutate{
                   gsub => [
                        "a_month", "Jan(?:uary)?", "01",
		        "a_month", "Feb(?:ruary)?", "02",
			"a_month", "Mar(?:ch)?", "03",
			"a_month", "Apr(?:il)?", "04",
			"a_month", "May", "05",
			"a_month", "Jun(?:e)?", "06",
			"a_month", "Jul(?:y)?", "07",
			"a_month", "Aug(?:ust)?", "08",
			"a_month", "Sep(?:tember)?", "09",
			"a_month", "Oct(?:ober)?", "10",
			"a_month", "Nov(?:ember)?", "11",
			"a_month", "Dec(?:ember)?", "12"
                   ]
		   add_field =>{
			   "cdn_date" => "%{a_year}-%{a_month}-%{a_day}"
                           "timestamp" =>"%{cdn_date} %{time}"
		           }
                   remove_field=>["path","@version","@timestamp","type","time","a_day","a_month","a_year","message"]
		   convert=>["status","integer"]
		}
	     date {
			   #use timezone is to avoid the value subtract timezone,if +8 zone,hours will be -8,in deploy situation ,please check the hour value is correct, if not try remove timezone
  			  timezone=>"Etc/UTC"
	        	  match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		          target=>"timestamp"
	        }

		

	}else if [type]=="nginx_error"
	{
		  grok{
			break_on_match=>true
			#condition 1
			patterns_dir=>["/mnt/develop/elk/app/logstash-1.4.2/patterns"]
			match=>["message","%{NGINX_ERROR_1301}"]
                        match=>["message","%{NGINX_ERROR}"]
			add_tag=>["%{[type]}","grokked","error"]
		 }
                 if "_grokparsefailure" in [tags]
		 {
             		drop{}
                 }	
		 geoip {
			source => "chost"
			target=>"cgeo"
			remove_field => ['[cgeo][ip]','[cgeo][postal_code]','[cgeo][dma_code]','[cgeo][area_code]','[cgeo][country_code2]','[cgeo][country_code3]','[cgeo][continent_code]','[cgeo][region_name]','[cgeo][city_name]','[cgeo][latitude]','[cgeo][longitude]','[cgeo][timezone]','[cgeo][location]']
			#database=>["path"]
		 }
		ruby {
		              #note 1 ruby need to be put before mutate
			      #note 2 if not run or correctly run ruby ,please install jruby and try it again
			      #in  linux, if hostname is no configured in hosts file, logstash get 0.0.0.0 ,so we add this code to get hostname on linux platform IO.popen('hostname')
			      
		              code => "
                                #IO.popen('hostname') { |io| while (line = io.gets) do event['host']=line end }   
				event['interval']=event['rtime'].to_i-event['qtime'].to_i
                           "

		   }
		  mutate{
		     
                          strip => ["info"]
			  convert=>{
                                 "status"=>"integer"
				}
		 		add_field => {
				   "cdn_date" => "%{e_year}-%{e_month}-%{e_day}"
                         	   "timestamp" =>"%{cdn_date} %{time}"
		          	 }

			 remove_field=>["path","@version","@timestamp","type","time","e_year","e_month","e_day","message","qtime","rtime"]
		  }
		date {
			  timezone=>"Etc/UTC"
	        	  match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		          target=>"timestamp"
	        }


	}else if [type]=="res-monitor"
	{
                 grok{
			break_on_match=>true
			#condition 1
			patterns_dir=>["/mnt/develop/elk/app/logstash-1.4.2/patterns"]
			match=>["message","%{RESMONITOR_PATTERN_VRB}"]
                        match=>["message","%{CDNDELIVERY_PATTERN_WRN_ERRINFO}"]
			match=>["message","%{CDNDELIVERY_PATTERN_WRN_NOERR}"]
		        match=>["message","%{CDNDELIVERY_PATTERN_ERR_ERRINFO}"]
			match=>["message","%{CDNDELIVERY_PATTERN_ERR_NOERR}"]
			add_tag=>["%{[type]}","grokked","%{[etype]}"]
		 }
               if "_grokparsefailure" in [tags]
		 {
			drop{}
		}	
		ruby {
		              #note 1 ruby need to be put before mutate
			      #note 2 if not run or correctly run ruby ,please install jruby and try it again
			      #in  linux, if hostname is no configured in hosts file, logstash get 0.0.0.0 ,so we add this code to get hostname on linux platform IO.popen('hostname')
			      
		              code => "
                               # IO.popen('hostname') { |io| while (line = io.gets) do event['host']=line end }

				# get date from path
			      event['e_year']=event['path'][-12..-9]
			      event['e_month']=event['path'][-8..-7]
			      event['e_day']=event['path'][-6..-5]
                           "

		   }
		mutate{
			  add_field => {
				"cdn_date" => "%{e_year}-%{e_month}-%{e_day}"
   				"timestamp" =>"%{cdn_date} %{e_hour}:%{e_minute}:%{e_second}"
			  }
	         	 remove_field=>["path","@version","@timestamp","type","e_year","e_month","e_day","e_hour","e_minute","e_second"]
		  } 
	
               if [etype]=="VRB"
		{
			date {
                          timezone=>"Etc/UTC"
	        	  match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		          target=>"timestamp"
                          remove_field=>["message","etype"]
	        }
		}else{
			date {
                          #use timezone is to avoid the value subtract timezone,if +8 zone,hours will be -8,in deploy situation ,please check the hour value is correct, if not try remove timezone
  			  timezone=>"Etc/UTC"
	        	  match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		          target=>"timestamp"
                          remove_field=>["etype"]
			
	        	}
		}
	}else if [type]=="cdndelivery_filecollect"
	{
               
                 grok{
			break_on_match=>true
			#condition 1
			patterns_dir=>["/mnt/develop/elk/app/logstash-1.4.2/patterns"]
			match=>["message","%{FILECOLLECT_PATTERN_VRB}"]
                        match=>["message","%{CDNDELIVERY_PATTERN_WRN_ERRINFO}"]
			match=>["message","%{CDNDELIVERY_PATTERN_WRN_NOERR}"]
		        match=>["message","%{CDNDELIVERY_PATTERN_ERR_ERRINFO}"]
			match=>["message","%{CDNDELIVERY_PATTERN_ERR_NOERR}"]
			add_tag=>["%{[type]}","grokked","%{[etype]}"]
		 }
               if "_grokparsefailure" in [tags]
		 {
			drop{}
		}	
		ruby {
		              #note 1 ruby need to be put before mutate
			      #note 2 if not run or correctly run ruby ,please install jruby and try it again
			      #in  linux, if hostname is no configured in hosts file, logstash get 0.0.0.0 ,so we add this code to get hostname on linux platform IO.popen('hostname')
			      
		              code => "
                               # IO.popen('hostname') { |io| while (line = io.gets) do event['host']=line end }

				# get date from path
			      event['e_year']=event['path'][-12..-9]
			      event['e_month']=event['path'][-8..-7]
			      event['e_day']=event['path'][-6..-5]
                           "

		   }
		mutate{
			  add_field => {
				"cdn_date" => "%{e_year}-%{e_month}-%{e_day}"
   				"timestamp" =>"%{cdn_date} %{e_hour}:%{e_minute}:%{e_second}"
			  }
	         	 remove_field=>["path","@version","@timestamp","type","e_year","e_month","e_day","e_hour","e_minute","e_second"]
		  } 
	
               if[etype]=="VRB"
		{
			date {
                          timezone=>"Etc/UTC"
	        	  match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		          target=>"timestamp"
                         remove_field=>["message","etype"]
	        }
		}else{
			date {
                          #use timezone is to avoid the value subtract timezone,if +8 zone,hours will be -8,in deploy situation ,please check the hour value is correct, if not try remove timezone
  			  timezone=>"Etc/UTC"
	        	  match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		          target=>"timestamp"
			 remove_field=>["etype"]
	        	}
		}
	}else if [type]=="cdndelivery_nodeschedule"
	{
                grok{
			break_on_match=>true
			#condition 1
			patterns_dir=>["/mnt/develop/elk/app/logstash-1.4.2/patterns"]
                        #I can not find the VRB event here ,so I ignore it first
			#match=>["message","%{NODESCHEDULE_PATTERN_VRB}"]
			match=>["message","%{NODESCHEDULE_PATTERN_INF}"]
                        match=>["message","%{CDNDELIVERY_PATTERN_WRN_ERRINFO}"]
			match=>["message","%{CDNDELIVERY_PATTERN_WRN_NOERR}"]
		        match=>["message","%{CDNDELIVERY_PATTERN_ERR_ERRINFO}"]
			match=>["message","%{CDNDELIVERY_PATTERN_ERR_NOERR}"]
			add_tag=>["%{[type]}","grokked","%{[etype]}"]
		 }
               if "_grokparsefailure" in [tags]
		 {
			drop{}
		}	
		ruby {
		              #note 1 ruby need to be put before mutate
			      #note 2 if not run or correctly run ruby ,please install jruby and try it again
			      #in  linux, if hostname is no configured in hosts file, logstash get 0.0.0.0 ,so we add this code to get hostname on linux platform IO.popen('hostname')
			      
		              code => "
                                #IO.popen('hostname') { |io| while (line = io.gets) do event['host']=line end }

				# get date from path
			      event['e_year']=event['path'][-12..-9]
			      event['e_month']=event['path'][-8..-7]
			      event['e_day']=event['path'][-6..-5]
                           "

		   }
		mutate{
			  add_field => {
				"cdn_date" => "%{e_year}-%{e_month}-%{e_day}"
   				"timestamp" =>"%{cdn_date} %{e_hour}:%{e_minute}:%{e_second}"
			  }
	         	 remove_field=>["path","@version","@timestamp","type","e_year","e_month","e_day","e_hour","e_minute","e_second"]
		  } 
	
               if [etype]=="VRB" or [etype]=="INF"
		{
			date {
                          timezone=>"Etc/UTC"
	        	  match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		          target=>"timestamp"
                          remove_field=>["message","etype"]
	                }
		}else{
			date {
                          #use timezone is to avoid the value subtract timezone,if +8 zone,hours will be -8,in deploy situation ,please check the hour value is correct, if not try remove timezone
  			  timezone=>"Etc/UTC"
	        	  match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		          target=>"timestamp"
			 remove_field=>["etype"]
	        	}
		}
	}else if [type]=="cdndelivery_storageschedule"
	{
               grok{
			break_on_match=>true
			#condition 1
			patterns_dir=>["/mnt/develop/elk/app/logstash-1.4.2/patterns"]
                        #I can not find the VRB event here ,so I ignore it first
			#match=>["message","%{STORAGESCHEDULE_PATTERN_VRB}"]
                        match=>["message","%{CDNDELIVERY_PATTERN_WRN_ERRINFO}"]
			match=>["message","%{CDNDELIVERY_PATTERN_WRN_NOERR}"]
		        match=>["message","%{CDNDELIVERY_PATTERN_ERR_ERRINFO}"]
			match=>["message","%{CDNDELIVERY_PATTERN_ERR_NOERR}"]
			add_tag=>["%{[type]}","grokked","%{[etype]}"]
		 }
               if "_grokparsefailure" in [tags]
		 {
			drop{}
		}	
		ruby {
		              #note 1 ruby need to be put before mutate
			      #note 2 if not run or correctly run ruby ,please install jruby and try it again
			      #in  linux, if hostname is no configured in hosts file, logstash get 0.0.0.0 ,so we add this code to get hostname on linux platform IO.popen('hostname')
			      
		              code => "
                               # IO.popen('hostname') { |io| while (line = io.gets) do event['host']=line end }

				# get date from path
			      event['e_year']=event['path'][-12..-9]
			      event['e_month']=event['path'][-8..-7]
			      event['e_day']=event['path'][-6..-5]
                           "

		   }
		mutate{
			  add_field => {
				"cdn_date" => "%{e_year}-%{e_month}-%{e_day}"
   				"timestamp" =>"%{cdn_date} %{e_hour}:%{e_minute}:%{e_second}"
			  }
	         	 remove_field=>["path","@version","@timestamp","type","e_year","e_month","e_day","e_hour","e_minute","e_second"]
		  } 
	
               if [etype]=="VRB" 
		{
			date {
                          timezone=>"Etc/UTC"
	        	  match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		          target=>"timestamp"
                         remove_field=>["message","etype"]
	                 }
		}else{
			date {
                          #use timezone is to avoid the value subtract timezone,if +8 zone,hours will be -8,in deploy situation ,please check the hour value is correct, if not try remove timezone
  			  timezone=>"Etc/UTC"
	        	  match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		          target=>"timestamp"
			 remove_field=>["etype"]
	        	}
		}
	}else if [type]=="cdndelivery_notify"
	{
		   grok{
			break_on_match=>true
			#condition 1
			patterns_dir=>["/mnt/develop/elk/app/logstash-1.4.2/patterns"]
                        #I can not find the VRB event here ,so I ignore it first
			#match=>["message","%{NOTIFY_PATTERN_VRB}"]
                        match=>["message","%{CDNDELIVERY_PATTERN_WRN_ERRINFO}"]
			match=>["message","%{CDNDELIVERY_PATTERN_WRN_NOERR}"]
		        match=>["message","%{CDNDELIVERY_PATTERN_ERR_ERRINFO}"]
			match=>["message","%{CDNDELIVERY_PATTERN_ERR_NOERR}"]
			add_tag=>["%{[type]}","grokked","%{[etype]}"]
		 }
               if "_grokparsefailure" in [tags]
		 {
			drop{}
		}	
		ruby {
		              #note 1 ruby need to be put before mutate
			      #note 2 if not run or correctly run ruby ,please install jruby and try it again
			      #in  linux, if hostname is no configured in hosts file, logstash get 0.0.0.0 ,so we add this code to get hostname on linux platform IO.popen('hostname')
			      
		              code => "
                               # IO.popen('hostname') { |io| while (line = io.gets) do event['host']=line end }

				# get date from path
			      event['e_year']=event['path'][-12..-9]
			      event['e_month']=event['path'][-8..-7]
			      event['e_day']=event['path'][-6..-5]
                           "

		   }
		mutate{
			  add_field => {
				"cdn_date" => "%{e_year}-%{e_month}-%{e_day}"
   				"timestamp" =>"%{cdn_date} %{e_hour}:%{e_minute}:%{e_second}"
			  }
	         	 remove_field=>["path","@version","@timestamp","type","e_year","e_month","e_day","e_hour","e_minute","e_second"]
		  } 
	
               if[etype]=="VRB"
		{
			date {
                          timezone=>"Etc/UTC"
	        	  match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		          target=>"timestamp"
                         remove_field=>["message","etype"]
	        }
		}else{
			date {
                          #use timezone is to avoid the value subtract timezone,if +8 zone,hours will be -8,in deploy situation ,please check the hour value is correct, if not try remove timezone
  			  timezone=>"Etc/UTC"
	        	  match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		          target=>"timestamp"
			 remove_field=>["etype"]
	        	}
		}
	}else if [type]=="statout"
	{
             grok{
			break_on_match=>true
			#condition 1
			patterns_dir=>["/mnt/develop/elk/app/logstash-1.4.2/patterns"]
                        #I can not find the VRB event here ,so I ignore it first
			#match=>["message","%{NOTIFY_PATTERN_VRB}"]
                        match=>["message","%{STATOUT_PATTERN}"]
			add_tag=>["%{[type]}","grokked","statout"]
		 }
               if "_grokparsefailure" in [tags]
		 {
			drop{}
		}	
		ruby {
		              #note 1 ruby need to be put before mutate
			      #note 2 if not run or correctly run ruby ,please install jruby and try it again
			      #in  linux, if hostname is no configured in hosts file, logstash get 0.0.0.0 ,so we add this code to get hostname on linux platform IO.popen('hostname')
			      
		              code => "
                               # IO.popen('hostname') { |io| while (line = io.gets) do event['host']=line end }
				# get date from path
			      event['e_year']=event['path'][-18..-15]
			      event['e_month']=event['path'][-14..-13]
			      event['e_day']=event['path'][-12..-11]
                           "

		   }
		mutate{
			  add_field => {
				"cdn_date" => "%{e_year}-%{e_month}-%{e_day}"
   				"timestamp" =>"%{cdn_date} %{e_time}"
			  }
	         	 remove_field=>["path","@version","@timestamp","type","e_type","message","e_year","e_month","e_day","e_time"]
		  } 
	
             
			date {
                          #use timezone is to avoid the value subtract timezone,if +8 zone,hours will be -8,in deploy situation ,please check the hour value is correct, if not try remove timezone
  			  timezone=>"Etc/UTC"
	        	  match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		          target=>"timestamp"
	        	}
	}
         else if [type]=="dbagent_access"
	{
		grok{
			 break_on_match=>true
	                 #condition 1
			 patterns_dir=>["/mnt/develop/elk/app/logstash-1.4.2/patterns"]
		         match=>["message","%{DBAGENT_ACCESS}"]
			 add_tag=>["%{[type]}","grokked","access"]
		}
		if "_grokparsefailure" in [tags]
	        {
        	     drop{}
        	}
		if [status]=="200"
		{
                   #200 is normal http status, here we just need exception status,so drop 200
			drop{}
		}
                #ruby{
		  # in  linux, if hostname is no configured in hosts file, logstash get 0.0.0.0 ,so we add this code to get hostname on linux platform
                 #    code=>"
		#	      IO.popen('hostname') { |io| while (line = io.gets) do event['host']=line end }
                 #          "
		#}
		mutate{
                   gsub => [
                        "a_month", "Jan(?:uary)?", "01",
		        "a_month", "Feb(?:ruary)?", "02",
			"a_month", "Mar(?:ch)?", "03",
			"a_month", "Apr(?:il)?", "04",
			"a_month", "May", "05",
			"a_month", "Jun(?:e)?", "06",
			"a_month", "Jul(?:y)?", "07",
			"a_month", "Aug(?:ust)?", "08",
			"a_month", "Sep(?:tember)?", "09",
			"a_month", "Oct(?:ober)?", "10",
			"a_month", "Nov(?:ember)?", "11",
			"a_month", "Dec(?:ember)?", "12"
                   ]
		   add_field =>{
			   "cdn_date" => "%{a_year}-%{a_month}-%{a_day}"
                           "timestamp" =>"%{cdn_date} %{time}"
		           }
                   remove_field=>["path","@version","@timestamp","type","time","a_day","a_month","a_year","message"]
		   convert=>["status","integer"]
		}
	     date {
			   #use timezone is to avoid the value subtract timezone,if +8 zone,hours will be -8,in deploy situation ,please check the hour value is correct, if not try remove timezone
  			  timezone=>"Etc/UTC"
	        	  match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		          target=>"timestamp"
	        }

		

	}else if [type]=="dbagent_error"
	{
		grok{
			 break_on_match=>true
	                 #condition 1
			 patterns_dir=>["/mnt/develop/elk/app/logstash-1.4.2/patterns"]
                         match=>["message","%{DBAGENT_ERROR_3}"]
		         match=>["message","%{DBAGENT_ERROR_2}"]
		         match=>["message","%{DBAGENT_ERROR_1}"]
			 add_tag=>["%{[type]}","grokked","error"]
		}
		if "_grokparsefailure" in [tags]
	        {
			#drop{}
        	}else
		{
		mutate{
			 add_field => {
				"cdn_date" => "%{e_year}-%{e_month}-%{e_day}"
   				"timestamp" =>"%{cdn_date} %{time}"
			  }
	         	 remove_field=>["path","@version","@timestamp","type","e_year","e_month","e_day","time"]
		  } 
	date {
		         #use timezone is to avoid the value subtract timezone,if +8 zone,hours will be -8,in deploy situation ,please check the     hour value is correct, if not try remove timezone
			 timezone=>"Etc/UTC"
		         match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		         target=>"timestamp"
		}
		}
	}else if[type]=="media-info_HashValidService_info" or [type]=="media-info_HashValidService_error" or [type]=="media-info_PicKeyFramesService_info" or [type]=="media-info_PicKeyFramesService_error" or [type]=="media-info_PollCDNFileQueueService_CdnInterFaceLog_error_error" or [type]=="media-info_PollCDNFileQueueService_CdnInterFaceLog_error_info" 
or [type]=="media-info_PollCDNFileQueueService_PollCDNFileQueue_error_error" or [type]=="media-info_PollCDNFileQueueService_PollCDNFileQueue_error_info" or [type]=="media-info_CdnPost_error" or [type]=="media-info_CdnPost_info" or [type]=="media-info_PassThroughService_error" or [type]=="media-info_PassThroughService_info" or [type]=="media-info_DispatchService_DispatchService_error" or [type]=="media-info_DispatchService_DispatchService_info" or [type]=="media-info_DispatchService_MessageQueue_error" or [type]=="media-info_DispatchService_MessageQueue_info" or [type]=="media-info_AssetIntefaceWebservice_error" or [type]=="media-info_AssetIntefaceWebservice_info" or [type]=="media-info_MgBoss_Asset_error" or [type]=="media-info_MgBoss_Asset_info" or [type]=="media-info_MgBoss_CDN_error" or [type]=="media-info_MgBoss_CDN_info" or [type]=="media-info_MgBoss_DataAccess_error" or [type]=="media-info_MgBoss_DataAccess_info" or [type]=="media-info_MgBoss_EFSQL_error" or [type]=="media-info_MgBoss_EFSQL_info" or [type]=="media-info_MgBoss_Power_error" or [type]=="media-info_MgBoss_Power_info" or [type]=="media-info_MgBoss_Sys_error" or [type]=="media-info_MgBoss_Sys_info" or [type]=="media-info_MgBoss_Template_error" or [type]=="media-info_MgBoss_Template_info"
	  {
	      grok{
				 break_on_match=>true
			         #condition 1
				 patterns_dir=>["/mnt/develop/elk/app/logstash-1.4.2/patterns"]
		                 match=>["message","%{INFOERROR_PATTERN}"]
			}
		       if "_grokparsefailure" in [tags]
			{
			     drop{}
			}
			ruby{
			  # in  linux, if hostname is no configured in hosts file, logstash get 0.0.0.0 ,so we add this code to get hostname on linux platform
		             code=>"
		                    tmpArray=event['type'].split('_');
		                    if tmpArray.length==4
		                      event['appname']=tmpArray[1]
		                      event['category']=tmpArray[2]
		                    elsif tmpArray.length==3
		                      event['appname']=tmpArray[1]
		                    end
		                    event['index_type']=tmpArray[tmpArray.length-1]
		                   "
			}
			mutate{
				 add_field => {"timestamp" =>"%{e_date} %{e_time}"}
			 	 remove_field => ["path","@version","@timestamp","message","e_time"]
		                 remove_tag => ["multiline"]
			  } 

			date {
				 #use timezone is to avoid the value subtract timezone,if +8 zone,hours will be -8,in deploy situation ,please check the     hour value is correct, if not try remove timezone
				 timezone=>"Etc/UTC"
				 match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
				 target=>"timestamp"
			}
	  }else if [type]=="media-info_LiveProgramList"
	  {
		        grok{
				 break_on_match=>true
			         #condition 1
				 patterns_dir=>["/mnt/develop/elk/app/logstash-1.4.2/patterns"]
		                 match=>["message","%{LOGOFONTIMERUN}"]
			}
			if "_grokparsefailure" in [tags]
			{
			      drop{}
			}
			ruby{
			  # in  linux, if hostname is no configured in hosts file, logstash get 0.0.0.0 ,so we add this code to get hostname on linux platform
		             code=>"
		                        event['appname']='LiveProgramList'
		                        event['index_type']='LiveProgramList'
		                   "
			}

			mutate{
		                add_field=>{"timestamp" =>"%{e_date} %{e_time}"}
				remove_field=>["path","@version","@timestamp","message","e_time"]
			   }
			date {
				 #use timezone is to avoid the value subtract timezone,if +8 zone,hours will be -8,in deploy situation ,please check the     hour value is correct, if not try remove timezone
				 timezone=>"Etc/UTC"
				 match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
				 target=>"timestamp"
			}
	  }else if [type]=="router"
	{
		grok{
			 break_on_match=>true
	                 #condition 1
		         match=>["message","%{ROUTER_OK}"]
		         match=>["message","%{ROUTER_ERROR}"]
			 patterns_dir=>["/mnt/develop/elk/app/logstash-1.4.2/patterns"]
			 add_tag=>["%{[type]}","grokked","%{[status]}"]
		}
		if "_grokparsefailure" in [tags]
	        {
        	     drop{}
        	}
                #geoip {
	        #          source => "chost"
	        #          target=>"cgeo"
	        #    	  remove_field => ['[cgeo][ip]','[cgeo][postal_code]','[cgeo][dma_code]','[cgeo][area_code]','[cgeo][country_code2]','[cgeo][country_code3]','[cgeo][continent_code]','[cgeo][region_name]','[cgeo][city_name]','[cgeo][latitude]','[cgeo][longitude]','[cgeo][timezone]','[cgeo][location]']
	        #          #database=>["path"]
	        #}
#                ruby{
		  # in  linux, if hostname is no configured in hosts file, logstash get 0.0.0.0 ,so we add this code to get hostname on linux platform
 #                    code=>"
#			      IO.popen('hostname') { |io| while (line = io.gets) do event['host']=line end }
 #                          "
#		}
		mutate{
		   add_field =>{
			   "date"=>"%{year}-%{month}-%{day}"
                           "timestamp" =>"%{date} %{time}"
		           }
                   remove_field=>["path","@version","@timestamp","type","time","day","month","year","message","time"]
		}
	     date {
			   #use timezone is to avoid the value subtract timezone,if +8 zone,hours will be -8,in deploy situation ,please check the hour value is correct, if not try remove timezone
  			  timezone=>"Etc/UTC"
	        	  match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		          target=>"timestamp"
	        }

	}else if [type]=="routerdll"
	{
		grok{
			 break_on_match=>true
	                 #condition 1
		         match=>["message","%{ROUTERDLL_ERR}"]
			 patterns_dir=>["/mnt/develop/elk/app/logstash-1.4.2/patterns"]
			 add_tag=>["%{[type]}","grokked","%{[etype]}"]
		}
		if "_grokparsefailure" in [tags]
	        {
        	     drop{}
        	}
                #geoip {
	        #          source => "uip"
	        #          target=>"cgeo"
	        #    	  remove_field => ['[cgeo][ip]','[cgeo][postal_code]','[cgeo][dma_code]','[cgeo][area_code]','[cgeo][country_code2]','[cgeo][country_code3]','[cgeo][continent_code]','[cgeo][region_name]','[cgeo][city_name]','[cgeo][latitude]','[cgeo][longitude]','[cgeo][timezone]','[cgeo][location]']
	        #          #database=>["path"]
	        #}
                ruby{
		  # in  linux, if hostname is no configured in hosts file, logstash get 0.0.0.0 ,so we add this code to get hostname on linux platform
                     code=>"
			     x=event['path'].index(/_/)
                             #  puts x 
                             #puts event['path']
                             #puts event['type']
			    tmpDate=event['path'][x+1..x+1+8]
			    event['date']=tmpDate[0..3]+'-'+tmpDate[4..5]+'-'+tmpDate[6..7]
#			      IO.popen('hostname') { |io| while (line = io.gets) do event['host']=line end }
                           "
		}
		mutate{
		   add_field =>{
                           "timestamp" =>"%{date} %{time}"
		           }
                   remove_field=>["path","@version","@timestamp","type","time","a_day","a_month","a_year","message","time"]
		}
	     date {
			   #use timezone is to avoid the value subtract timezone,if +8 zone,hours will be -8,in deploy situation ,please check the hour value is correct, if not try remove timezone
  			  timezone=>"Etc/UTC"
	        	  match => ["timestamp","YYYY-MM-dd HH:mm:ss"]
		          target=>"timestamp"
	        }
	}
}

output {
       #stdout { codec => rubydebug }
	if "cdn" in [tags]
	{
#this is a flash player error
#			file{
#			 path=>"/mnt/develop/elk/app/logstash-1.4.2/logs/cdn-prvcr.log"
#			}
			elasticsearch
			{
				protocol=>"http"
				cluster=>"hunantv_cdn"
				host=>"localhost"
				bind_host=>"localhost"
				#port=>"9200"
				codec=>"json"
				template=>"/mnt/develop/elk/app/logstash-1.4.2/template/cdn.json"
				template_name=>"cdn"
				template_overwrite=>true
				index=>"cdn_%{cdn_date}"
				index_type=>"%{[tags][2]}"
			}

	}else if "nginx_access" in [tags] or  "nginx_error" in [tags]
	{              
#			file{
#			 path=>"/mnt/develop/elk/app/logstash-1.4.2/logs/nginx.log"
#			}
			elasticsearch
			{
				protocol=>"http"
				cluster=>"hunantv_cdn"
				host=>"localhost"
				bind_host=>"localhost"
				#port=>"9200"
				codec=>"json"
				template=>"/mnt/develop/elk/app/logstash-1.4.2/template/nginx.json"
				template_name=>"nginx"
				template_overwrite=>true
				index=>"nginx_%{cdn_date}"
				index_type=>"%{[tags][2]}"
			}

	}else if "res-monitor" in [tags]
	{
	
#			file{
#				path=>"/mnt/develop/elk/app/logstash-1.4.2/logs/res-monitor.log"
#			}
			elasticsearch
			{
				protocol=>"http"
				cluster=>"hunantv_cdn"
				host=>"localhost"
				bind_host=>"localhost"
				#port=>"9200"
				codec=>"json"
				template=>"/mnt/develop/elk/app/logstash-1.4.2/template/res-monitor.json"
				template_name=>"res-monitor"
				template_overwrite=>true
				index=>"res-monitor_%{cdn_date}"
				index_type=>"%{[tags][2]}"
			}

	}else if "cdndelivery_filecollect" in [tags]
	{
#			file{
#				path=>"/mnt/develop/elk/app/logstash-1.4.2/logs/cdn-delivery.log"
#			}
			elasticsearch
			{
				protocol=>"http"
				cluster=>"hunantv_cdn"
				host=>"localhost"
				bind_host=>"localhost"
				#port=>"9200"
				codec=>"json"
				template=>"/mnt/develop/elk/app/logstash-1.4.2/template/cdn-delivery.json"
				template_name=>"cdn-delivery"
				template_overwrite=>true
				index=>"cdn-delivery_%{cdn_date}"
				index_type=>"%{[tags][2]}-filecollect"

			}		
	}else if "cdndelivery_nodeschedule" in [tags]
        {
#			file{
#				path=>"/mnt/develop/elk/app/logstash-1.4.2/logs/cdn-delivery.log"
#			}
			elasticsearch
			{
				protocol=>"http"
				cluster=>"hunantv_cdn"
				host=>"localhost"
				bind_host=>"localhost"
				#port=>"9200"
				codec=>"json"
				template=>"/mnt/develop/elk/app/logstash-1.4.2/template/cdn-delivery.json"
				template_name=>"cdn-delivery"
				template_overwrite=>true
				index=>"cdn-delivery_%{cdn_date}"
				index_type=>"%{[tags][2]}-nodeschedule"
			}	
	}else if "cdndelivery_storageschedule" in [tags]
        {
#			file{
#				path=>"/mnt/develop/elk/app/logstash-1.4.2/logs/cdn-delivery.log"
#			}
			elasticsearch
			{
				protocol=>"http"
				cluster=>"hunantv_cdn"
				host=>"localhost"
				bind_host=>"localhost"
				#port=>"9200"
				codec=>"json"
				template=>"/mnt/develop/elk/app/logstash-1.4.2/template/cdn-delivery.json"
				template_name=>"cdn-delivery"
				template_overwrite=>true
				index=>"cdn-delivery_%{cdn_date}"
				index_type=>"%{[tags][2]}-storageschedule"
			}	
	}else if "cdndelivery_notify" in [tags]
        {
#			file{
#				path=>"/mnt/develop/elk/app/logstash-1.4.2/logs/cdn-delivery.log"
#			}
			elasticsearch
			{
				protocol=>"http"
				cluster=>"hunantv_cdn"
				host=>"localhost"
				bind_host=>"localhost"
				#port=>"9200"
				codec=>"json"
				template=>"/mnt/develop/elk/app/logstash-1.4.2/template/cdn-delivery.json"
				template_name=>"cdn-delivery"
				template_overwrite=>true
				index=>"cdn-delivery_%{cdn_date}"
				index_type=>"%{[tags][2]}-notify"
			}	
	}else if "statout" in [tags]
	{
			#file{
			#	path=>"/mnt/develop/elk/app/logstash-1.4.2/logs/statout.log"
			#}
			elasticsearch
			{
				protocol=>"http"
				cluster=>"hunantv_cdn"
				host=>"localhost"
				bind_host=>"localhost"
				#port=>"9200"
				codec=>"json"
				template=>"/mnt/develop/elk/app/logstash-1.4.2/template/statout.json"
				template_name=>"statout"
				template_overwrite=>true
				index=>"statout_%{cdn_date}"
				index_type=>"error"
			}
	}else if "dbagent_access" in [tags]
        {
			file{
				path=>"/mnt/develop/elk/app/logstash-1.4.2/logs/dbagent_access.log"
			}
			elasticsearch
			{
				protocol=>"http"
				cluster=>"hunantv_cdn"
				host=>"localhost"
				bind_host=>"localhost"
				#port=>"9200"
				codec=>"json"
				template=>"/mnt/develop/elk/app/logstash-1.4.2/template/dbagent.json"
				template_name=>"dbagent"
				template_overwrite=>true
				index=>"dbagent_%{cdn_date}"
				index_type=>"access"
			}	
	}else if "dbagent_error" in [tags]
        {
		file{
			path=>"/mnt/develop/elk/app/logstash-1.4.2/logs/dbagent_error.log"
		}
			elasticsearch
			{
				protocol=>"http"
				cluster=>"hunantv_cdn"
				host=>"localhost"
				bind_host=>"localhost"
				#port=>"9200"
				codec=>"json"
				template=>"/mnt/develop/elk/app/logstash-1.4.2/template/dbagent.json"
				template_name=>"dbagent"
				template_overwrite=>true
				index=>"dbagent_%{cdn_date}"
				index_type=>"error"
			}

	}
	else if [type]=="media-info_HashValidService_info" or [type]=="media-info_HashValidService_error" or [type]=="media-info_PicKeyFramesService_info" or [type]=="media-info_PicKeyFramesService_error" or [type]=="media-info_PollCDNFileQueueService_CdnInterFaceLog_error_error" or [type]=="media-info_PollCDNFileQueueService_CdnInterFaceLog_error_info" 
or [type]=="media-info_PollCDNFileQueueService_PollCDNFileQueue_error_error" or [type]=="media-info_PollCDNFileQueueService_PollCDNFileQueue_error_info" or [type]=="media-info_CdnPost_error" or [type]=="media-info_CdnPost_info" or [type]=="media-info_PassThroughService_error" or [type]=="media-info_PassThroughService_info" or [type]=="media-info_DispatchService_DispatchService_error" or [type]=="media-info_DispatchService_DispatchService_info" or [type]=="media-info_DispatchService_MessageQueue_error" or [type]=="media-info_DispatchService_MessageQueue_info" or [type]=="media-info_AssetIntefaceWebservice_error" or [type]=="media-info_AssetIntefaceWebservice_info" or [type]=="media-info_MgBoss_Asset_error" or [type]=="media-info_MgBoss_Asset_info" or [type]=="media-info_MgBoss_CDN_error" or [type]=="media-info_MgBoss_CDN_info" or [type]=="media-info_MgBoss_DataAccess_error" or [type]=="media-info_MgBoss_DataAccess_info" or [type]=="media-info_MgBoss_EFSQL_error" or [type]=="media-info_MgBoss_EFSQL_info" or [type]=="media-info_MgBoss_Power_error" or [type]=="media-info_MgBoss_Power_info" or [type]=="media-info_MgBoss_Sys_error" or [type]=="media-info_MgBoss_Sys_info" or [type]=="media-info_MgBoss_Template_error" or [type]=="media-info_MgBoss_Template_info" or [type]=="media-info_LiveProgramList"
	  {
                #file{
                #      path=>"/mnt/develop/elk/app/logstash-1.4.2/logs/output.log"
		#}
		elasticsearch
		{
					protocol=>"http"
					cluster => "hunantv_cdn"
	    				host => "localhost"
	   				bind_host => "localhost" 
					#port=>"9200"
					codec=>"json"
					template=>"/mnt/develop/elk/app/logstash-1.4.2/template/media-info.json"
					template_name=>"media-info"
					template_overwrite=>true
					index=>"media-info_%{e_date}"
					index_type=>"%{[index_type]}"

		}
	
	  }
        else if "router" in [tags]
	{
			elasticsearch
			{
				protocol=>"http"
				cluster => "hunantv_cdn"
		    		host => "localhost"
		   		bind_host => "localhost" 
				#port=>"9200"
				codec=>"json"
				template=>"/mnt/develop/elk/app/logstash-1.4.2/template/router.json"
				template_name=>"router"
				template_overwrite=>true
				index=>"router_%{date}"
				index_type=>"%{status}"
			}

	}else if "routerdll" in [tags]
	{
			elasticsearch
			{
				protocol=>"http"
				cluster => "hunantv_cdn"
	    			host => "localhost"
	   			#bind_host => "localhost" 
				#port=>"9200"
				codec=>"json"
				template=>"/mnt/develop/elk/app/logstash-1.4.2/template/routerdll.json"
				template_name=>"routerdll"
				template_overwrite=>true
				index=>"routerdll_%{date}"

			}

	}
}

CDN 正则表达式匹配文件

# cdn pattern doc


# created by xiaohelong 2014-08-28
CDN_DATE %{YEAR}-%{MONTHNUM}-%{MONTHDAY}
CDN_TIMESTAMP %{CDN_DATE:cdn_date}[T ]%{HOUR}:?%{MINUTE}:?\d{1,2}
UUID32 [0-9a-z]{32}
HTTPSTATUS_VALUE \d+
HTTPSTATUS status=%{HTTPSTATUS_VALUE:status}
CDN_UUID32 uuid=%{UUID32:uuid}
# we only set one eventype because if we match successfully,then we will go next.
CDN_EVENTTYPE_HTTP http
CDN_EVENTTYPE_MOVIEINFO MovieInfo
CDN_EVENTTYPE_PCVCR PCVCR
CDN_EVENTTYPE_VCR VCR
CDN_EVENTTYPE_prvcr prvcr

CDN_PATTERN_HTTP_UUID %{CDN_TIMESTAMP:timestamp}.*%{CDN_EVENTTYPE_HTTP:etype}://(%{IPV4:qhost}|%{HOSTNAME:qhost}).+%{CDN_EVENTTYPE_HTTP}://(%{IPV4:rhost}|%{HOSTNAME:rhost}).+%{CDN_UUID32}.+-(%{IPV4:chost}|%{HOSTNAME:chost})
CDN_PATTERN_HTTP %{CDN_TIMESTAMP:timestamp}.*%{CDN_EVENTTYPE_HTTP:etype}://(%{IPV4:qhost}|%{HOSTNAME:qhost}).+%{CDN_EVENTTYPE_HTTP}://(%{IPV4:rhost}|%{HOSTNAME:rhost}).+-(%{IPV4:chost}|%{HOSTNAME:chost})

CDN_PATTERN_MOVIEINFO_HTTP %{CDN_TIMESTAMP:timestamp}.*%{CDN_EVENTTYPE_MOVIEINFO:etype}\s+.*%{HTTPSTATUS}.*-(%{IPV4:chost}|%{HOSTNAME:chost})
CDN_PATTERN_MOVIEINFO %{CDN_TIMESTAMP:timestamp}.*%{CDN_EVENTTYPE_MOVIEINFO:etype}--.*-(%{IPV4:chost}|%{HOSTNAME:chost})

CDN_PATTERN_PCVCR_HTTP %{CDN_TIMESTAMP:timestamp}.* %{CDN_EVENTTYPE_PCVCR:etype}\s+.*%{HTTPSTATUS}.*-(%{IPV4:chost}|%{HOSTNAME:chost})
CDN_PATTERN_PCVCR %{CDN_TIMESTAMP:timestamp}.* %{CDN_EVENTTYPE_PCVCR:etype}--.*-(%{IPV4:chost}|%{HOSTNAME:chost})

CDN_PATTERN_VCR_HTTP %{CDN_TIMESTAMP:timestamp}.* %{CDN_EVENTTYPE_VCR:etype}\s+.*%{HTTPSTATUS}.*-(%{IPV4:chost}|%{HOSTNAME:chost})
CDN_PATTERN_VCR %{CDN_TIMESTAMP:timestamp}.* %{CDN_EVENTTYPE_VCR:etype}--.*-(%{IPV4:chost}|%{HOSTNAME:chost})

CDN_PATTERN_prvcr_HTTP %{CDN_TIMESTAMP:timestamp}.* %{CDN_EVENTTYPE_prvcr:etype}\s+.*%{HTTPSTATUS}.*-(%{IPV4:chost}|%{HOSTNAME:chost})
CDN_PATTERN_prvcr %{CDN_TIMESTAMP:timestamp}.* %{CDN_EVENTTYPE_prvcr:etype}--.*-(%{IPV4:chost}|%{HOSTNAME:chost})

#above complete cdn pattern


#begin nginx access part	
NGINX_ACCESS (%{IPV4:chost}|%{HOSTNAME:chost}).+\[%{MONTHDAY:a_day}/%{MONTH:a_month}/%{YEAR:a_year}\:%{TIME:time}.*\"\s+%{NUMBER:status}.*
#(%{IPV4:chost}|%{HOSTNAME:chost}).+\[%{MONTHDAY}/%{MONTH}/%{YEAR}\:%{TIME:time}.*\"\s+%{NUMBER:status}.*
#end nginx access part

#begin nginx error part
NGINX_ERR_1301 1301
NGINX_ERROR_1301 %{YEAR:e_year}/%{MONTHNUM:e_month}/%{MONTHDAY:e_day}\s%{TIME:time}.+error.*\:\s+%{NGINX_ERR_1301:status}.*[0-9a-z]{32},.*time:%{INT:rtime}.*;t is %{INT:qtime}.*client: (%{IPV4:chost}|%{HOSTNAME:chost}).*
NGINX_ERROR %{YEAR:e_year}/%{MONTHNUM:e_month}/%{MONTHDAY:e_day}\s%{TIME:time}.+error.*\:\s+%{NUMBER:status}.*[0-9a-z]{32},.*client: (%{IPV4:chost}|%{HOSTNAME:chost}).*
#1301 %{YEAR}/%{MONTHNUM}/%{MONTHDAY}\s%{TIME}.+error.*\:\s+%{NUMBER}.*[0-9a-z]{32},%{DATA},.*time:%{INT}.*;t is %{INT}.*client: (%{IPV4:chost}|%{HOSTNAME:chost}).*
#not 1301 %{YEAR}/%{MONTHNUM}/%{MONTHDAY}\s%{TIME}.+error.*\:\s+%{NUMBER}.*[0-9a-z]{32},.*client: (%{IPV4:chost}|%{HOSTNAME:chost}).*
#end nginx error part


#begin ChenPU CDN Delivery and Resource Monitor part , all WRN,ERR use the same pattern to match
    STR_ERR ((?i)err(info|or|msg)?)
	CDNDELIVERY_EVENTTYPE_WRN WRN
	CDNDELIVERY_EVENTTYPE_ERR ERR
	#when match the WRN or ERR,please put ERRINFO pattern before no ERR
	CDNDELIVERY_PATTERN_WRN_ERRINFO %{HOUR:e_hour}:%{MINUTE:e_minute}:%{INT:e_second}.*%{CDNDELIVERY_EVENTTYPE_WRN:etype}--%{GREEDYDATA:info}%{STR_ERR}\s*(=|=|:|:)\s*%{GREEDYDATA:errInfo}
	CDNDELIVERY_PATTERN_WRN_NOERR %{HOUR:e_hour}:%{MINUTE:e_minute}:%{INT:e_second}.*%{CDNDELIVERY_EVENTTYPE_WRN:etype}--%{GREEDYDATA:info}

        CDNDELIVERY_PATTERN_ERR_ERRINFO %{HOUR:e_hour}:%{MINUTE:e_minute}:%{INT:e_second}.*%{CDNDELIVERY_EVENTTYPE_ERR:etype}--%{GREEDYDATA:info}%{STR_ERR}\s*(=|=|:|:)\s*%{GREEDYDATA:errInfo}
	CDNDELIVERY_PATTERN_ERR_NOERR %{HOUR:e_hour}:%{MINUTE:e_minute}:%{INT:e_second}.*%{CDNDELIVERY_EVENTTYPE_ERR:etype}--%{GREEDYDATA:info}

	
	#begin res_monitor part
	RESMONITOR_EVENTTYPE_VRB VRB
	RESMONITOR_PATTERN_VRB %{HOUR:e_hour}:%{MINUTE:e_minute}:%{INT:e_second}.*\s%{RESMONITOR_EVENTTYPE_VRB:etype}.*EpochTime":%{QUOTEDSTRING:EpochTime}.*NodeId":%{NUMBER:NodeId}.*CurrentConn":%{NUMBER:CurrentConn}.*CurrentBandwidth":%{NUMBER:CurrentBandwidth}.*DiskTotalSpace":%{NUMBER:DiskTotalSpace}.*DiskFreeSpace":%{NUMBER:DiskFreeSpace}.*CpuUsage":%{NUMBER:CpuUsage}.*MemUsage":%{NUMBER:MemUsage}.*WanUsage":%{NUMBER:WanUsage}.*LanUsage":%{NUMBER:LanUsage}.*IoUsage":%{NUMBER:IoUsage}.*LanIpState":%{NUMBER:LanIpState}.*WanIpState":%{NUMBER:WanIpState}.*
	#end res_monitor part

	#begin cdn delivery part
	  	 #begin  filecollect part
	 	 FILECOLLECT_EVENTTYPE_VRB VRB
		 FILECOLLECT_PATTERN_VRB %{HOUR:e_hour}:%{MINUTE:e_minute}:%{INT:e_second}.*\s%{FILECOLLECT_EVENTTYPE_VRB:etype}.*EpochTime":%{QUOTEDSTRING:EpochTime}.*NodeId":%{NUMBER:NodeId}.*IsInited":%{NUMBER:IsInited}.*FileName":%{QUOTEDSTRING:FileName}.*FileSize":%{INT:FileSize}.*FileHash":%{QUOTEDSTRING:FileHash}.*FileIsDel":%{INT:FileIsDel}.*
	 	  #end filecollect part
                 #begin nodeschedule part
		 NODESCHEDULE_EVENTTYPE_VRB VRB
		 NODESCHEDULE_EVENTTYPE_INF INF
                 NODESCHEDULE_PATTERN_VRB .*?
		 NODESCHEDULE_PATTERN_INF %{HOUR:e_hour}:%{MINUTE:e_minute}:%{INT:e_second}.*\s+%{NODESCHEDULE_EVENTTYPE_INF:etype}--%{DATA}\s*ContentType=%{WORD:ContentType}.*FileId=%{WORD:FileId}.*FileName=%{DATA:FileName},TorrentHash=.*%{WORD:TorrentHash}.*State=%{WORD:State}.*Progress=%{NUMBER:Progress}.*DownloadSpeed=%{NUMBER:DownloadSpeed}.*UploadSpeed=%{NUMBER:UploadSpeed}.*DownloadSpeedAvg=%{NUMBER:DownloadSpeedAvg}.*UploadSpeedAvg=%{NUMBER:UploadSpeedAvg}.*DownloadedBytes=%{NUMBER:DownloadedBytes}.*UploadedBytes=%{NUMBER:UploadedBytes}.*%{STR_ERR}=%{GREEDYDATA}.*
		 #end nodeschedule part
                 
		#begin storageschedule part
		 STORAGESCHEDULE_EVENTTYPE_VRB VRB
                 STORAGESCHEDULE_PATTERN_VRB .*?
		#end storageschedule part
                #begin notify part
                NOTIFYSCHEDULE_EVENTTYPE_VRB VRB
                NOTIFYSCHEDULE_PATTERN_VRB .*?
                #end notify part

	#end cdn delivery part
#end ChenPU CDN Delivery and Resource Monitor part
#begin shaochan statout
        STATOUT_PATTERN %{TIME:e_time}\s+.*:%{GREEDYDATA:info}
#end shaochan statout
#Begin DBAGENT access part
	DBAGENT_ACCESS (%{IPV4:chost}|%{HOSTNAME:chost}).+\[%{MONTHDAY:a_day}/%{MONTH:a_month}/%{YEAR:a_year}\:%{TIME:time}.*(POST|GET)\s*%{DATA:interface}\s+HTTP.*\s+%{INT:status}\s+%{INT}\s+.*
#End DBAGENT access part
#Begin DBAGENT error part
        DBAGENT_ERROR_3 %{YEAR:e_year}/%{MONTHNUM:e_month}/%{MONTHDAY:e_day}\s+%{TIME:time}\s+\[error\]\s+%{INT:pid}#0:\s+\*%{INT}\s+%{INT:level}\s+msg:%{DATA:msg},\s+check time:%{INT:ctime},\s+query string:\s*call\s+%{WORD:interface}.*\(%{DATA:para}\),\s+client:\s+(%{IPV4:chost}|%{HOSTNAME:chost}),.*
	DBAGENT_ERROR_2 %{YEAR:e_year}/%{MONTHNUM:e_month}/%{MONTHDAY:e_day}\s+%{TIME:time}\s+\[error\]\s+%{INT:pid}#0:\s+\*%{INT}\s+%{INT:level}\s+msg:%{DATA:msg},\s+check time:%{INT:ctime},\s+query string:\s*call\s+%{WORD:interface}.*\(%{DATA:para}\).*
	DBAGENT_ERROR_1 %{YEAR:e_year}/%{MONTHNUM:e_month}/%{MONTHDAY:e_day}\s+%{TIME:time}\s+\[error\]\s+%{INT:pid}#0:\s+%{INT:level}\s+msg:%{GREEDYDATA:msg}$.*
#End DBAGENT error part

#Begin router part
ROUTER_REQUEST_URL http://%{IP:requestServer}/.*--%{GREEDYDATA:fileLoc}
ROUTER_OK %{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}\s*%{TIME:time},%{INT}.*-.*%{IP:chost}\s-\s%{WORD:status}\s-\s%{ROUTER_REQUEST_URL:requestURL}.*\s-\s%{NUMBER:isThirdCDN}\s-\s%{NUMBER:requestPolicyID}\s-\s%{NUMBER:rateLimited}

ROUTER_ERROR %{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}\s%{TIME:time},.*-.*%{IP:chost}\s-\s%{WORD:status}\s-\s%{GREEDYDATA:description}.*\s-\s%{NUMBER:isThirdCDN}\s-\s%{NUMBER:requestPolicyID}\s-\s%{NUMBER:rateLimited}
#End router part

#Begin routerdll part
ROUTERDLL_ERR %{TIME:time}\.%{INT}\s%{DATA:etype}--%{GREEDYDATA:info}\s*fid=%{GREEDYDATA:fid},\s*uip=%{IP:uip},\s*pno=%{INT:pno},\s*msec=%{NUMBER:msec},\s*statusDesc=%{GREEDYDATA:statusDesc},\s*errInfo=%{GREEDYDATA:errInfo},\s*userRegionId=%{INT:userRegionId},\s*svcRegionIds=%{GREEDYDATA:svcRegionIds},\shasFileNodeIds=%{GREEDYDATA:hasFileNodeIds},\s*routeType=%{GREEDYDATA:routeType},\s*isTestSpeed=%{INT:isTestSpeed},\s*lastSvrIps=%{GREEDYDATA:lastSvrIps}
#End routerdll part

#begin media-info pattern doc
# created by xiaohelong 2014-10-14
DATE_CN (%{YEAR}-%{MONTHNUM}-%{MONTHDAY})
#begin info part 
INFOERROR_PATTERN  .*【记录时间】\s*%{DATE_CN:e_date}\s*%{TIME:e_time},%{INT}.*\s*【线程编号】\[%{INT:tid}\]\s*【信息描述】\s*%{GREEDYDATA:info}
#end info part

#begin LogOfOnTimeRun
LOGOFONTIMERUN .*Date="%{DATE_CN:e_date}\s*%{TIME:e_time}.*Type="%{DATA:status}".*Note="%{DATA:info}".*
#end LogOfOnTimeRun
#end media-info

以下均为json模版文件

cdn.json 模版文件

{
    "template": "cdn_*",
    "settings": {
        "index.number_of_shards": 5,
        "number_of_replicas": 1
    },
    "mappings": {
        "_default_": {
            "_all": {
                "enabled": "false"
            },
            "_source": {
                "enabled": true,
		"compress":true
            },
            "properties": {
                "_id": {
                    "type": "string",
                    "index": "not_analyzed"
                },
		"host":{
			"type":"string",
			"index":"not_analyzed"
		},
                "message": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "chost": {
		    "dynamic": true,
                    "type": "ip",
                    "index": "not_analyzed"
                },
                "cgeo": {
		    "dynamic": true,
                    "type": "object",
                    "properties": {
                        "country_name": {
                            "type": "string",
                            "index": "not_analyzed"
                        },
                        "real_region_name": {
                            "type": "string",
                            "index": "not_analyzed"
                        }
                    }
                }
            }
        }
    },
    "http": {
        "properties": {
            "_timestamp": {
                "enabled": true,
                "type": "date",
                "path": "timestamp",
                "format": "dateOptionalTime"
            },
            "rhost": {
                "type": "string",
                "index": "not_analyzed"
            },
            "qhost": {
                "type": "string",
                "index": "not_analyzed"
            },
            "uuid": {
                "dynamic": true,
                "type": "string",
                "index": "not_analyzed"
            }
        }
    },
    "MovieInfo": {
        "properties": {
            "_timestamp": {
                "enabled": true,
                "type": "date",
                "path": "timestamp",
                "format": "dateOptionalTime"
            },
            "status": {
                "dynamic": true,
                "type": "integer",
                "index": "not_analyzed"
            }
        }
    },
    "PCVCR": {
        "properties": {
            "_timestamp": {
                "enabled": true,
                "type": "date",
                "path": "timestamp",
                "format": "dateOptionalTime"
            },
            "status": {
                "dynamic": true,
                "type": "integer",
                "index": "not_analyzed"
            }
        }
    },
    "VCR": {
        "properties": {
            "_timestamp": {
                "enabled": true,
                "type": "date",
                "path": "timestamp",
                "format": "dateOptionalTime"
            },
            "rhost": {
                "type": "string",
                "index": "not_analyzed"
            },
            "qhost": {
                "type": "string",
                "index": "not_analyzed"
            },
            "uuid": {
                "dynamic": true,
                "type": "string",
                "index": "not_analyzed"
            }
        }
    },
    "prvcr": {
        "properties": {
            "_timestamp": {
                "enabled": true,
                "type": "date",
                "path": "timestamp",
                "format": "dateOptionalTime"
            },
            "status": {
                "dynamic": true,
                "type": "integer",
                "index": "not_analyzed"
            }
        }
    }
}

{
    "template": "cdn-delivery_*",
    "settings": {
        "index.number_of_shards": 5,
        "number_of_replicas": 1
    },
    "mappings": {
        "_default_": {
            "_all": {
                "enabled": "false"
            },
            "_source": {
                "enabled": true,
                "compress": true
            },
            "properties": {
                "_id": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "timestamp": {
                    "enabled": true,
                    "type": "date",
                    "format": "dateOptionalTime"
                },
                "host": {
                    "type": "string",
                    "index": "not_analyzed"
                }
	
            }
        },
	"VRB-filecollect":{
		"properties":{
			"EpochTime":{
				"type":"string",
				"format":"not_analyzed"
			},
			"NodeId":{
				"type":"integer"
			},
			"IsInited":{
				"type":"boolean"
			},
			"FileName":{
				"type":"string",
				"index":"not_analyzed"
			},
			"FileSize":{
				"type":"long"
			},
			"FileHash":{
				"type":"string",
				"index":"not_analyzed"
			},
			"FileIsDel":{
				"type":"boolean"
			}
		}

	},
	"ERR-filecollect":{
		"properties":{
			"message":{
				"type":"string",
				"index":"not_analyzed"
			},
			"info":{
				"type":"string",
				"index":"not_analyzed"
			},
			"errInfo":{
				"dynamic":true,
 				"type":"string",
 				"index":"not_analyzed"
			}
		}
	},
	"WRN-filecollect":{
		"properties":{
			"message":{
				"type":"string",
				"index":"not_analyzed"
			},
			"info":{
				"type":"string",
				"index":"not_analyzed"
			},
                        "errInfo":{
				"dynamic":true,
 				"type":"string",
 				"index":"not_analyzed"
			}
		}
	},
	"ERR-nodeschedule":{
		"properties":{
			"message":{
				"type":"string",
				"index":"not_analyzed"
			},
			"info":{
				"type":"string",
				"index":"not_analyzed"
			},
			"errInfo":{
				"dynamic":true,
 				"type":"string",
 				"index":"not_analyzed"
			}
		}
	},
	"WRN-nodeschedule":{
		"properties":{
			"message":{
				"type":"string",
				"index":"not_analyzed"
			},
			"info":{
				"type":"string",
				"index":"not_analyzed"
			},
                        "errInfo":{
				"dynamic":true,
 				"type":"string",
 				"index":"not_analyzed"
			}
		}
	},
        "INF-nodeschedule":{
		"properties":{
			"ContentType":{
				"type":"string",
				"index":"not_analyzed"
			},
			"FileId":{
				"type":"string",
				"index":"not_analyzed"
			},
			"FileName":{
				"type":"string",
				"index":"not_analyzed"
			},
			"TorrentHash":{
				"type":"string",
				"index":"not_analyzed"
			},
			"State":{
				"type":"string",
				"index":"not_analyzed"
			},
			"Progress":{
				"type":"float"
			},
			"DownloadSpeed":{
				"type":"float"
			},
			"UploadSpeed":{
				"type":"float"
			},
			"DownloadSpeedAvg":{
				"type":"float"
			},
			"UploadSpeedAvg":{
				"type":"float"
			},
			"DownloadedBytes":{
				"type":"float"
			},
			"UploadedBytes":{
				"type":"float"
			}
		}
	},
	"ERR-storageschedule":{
		"properties":{
			"message":{
				"type":"string",
				"index":"not_analyzed"
			},
			"info":{
				"type":"string",
				"index":"not_analyzed"
			},
			"errInfo":{
				"dynamic":true,
 				"type":"string",
 				"index":"not_analyzed"
			}
		}
	},
	"WRN-storageschedule":{
		"properties":{
			"message":{
				"type":"string",
				"index":"not_analyzed"
			},
			"info":{
				"type":"string",
				"index":"not_analyzed"
			},
                        "errInfo":{
				"dynamic":true,
 				"type":"string",
 				"index":"not_analyzed"
			}
		}
	},
	"ERR-notify":{
		"properties":{
			"message":{
				"type":"string",
				"index":"not_analyzed"
			},
			"info":{
				"type":"string",
				"index":"not_analyzed"
			},
			"errInfo":{
				"dynamic":true,
 				"type":"string",
 				"index":"not_analyzed"
			}
		}
	},
	"WRN-notify":{
		"properties":{
			"message":{
				"type":"string",
				"index":"not_analyzed"
			},
			"info":{
				"type":"string",
				"index":"not_analyzed"
			},
                        "errInfo":{
				"dynamic":true,
 				"type":"string",
 				"index":"not_analyzed"
			}
		}
	}


    }
}

{
    "template": "dbagent_*",
    "settings": {
        "index.number_of_shards": 5,
        "number_of_replicas": 0
    },
    "mappings": {
        "_default_": {
            "_all": {
                "enabled": "false"
            },
            "_source": {
                "enabled": true,
                "compress": true
            },
            "properties": {
                "_id": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "timestamp": {
                    "enabled": true,
                    "type": "date",
                    "format": "dateOptionalTime"
                },
                "host": {
                    "type": "string",
                    "index": "not_analyzed"
                }
            }
        },
	"access":{
		"properties":{
	          "status":{
			  "type":"integer"
		  },
                  "chost": {
                          "type": "ip",
                          "index": "not_analyzed"
                   },
 		  "interface":{
			   "dynamic":true,			
			   "type":"string",
			   "index":"not_analyzed"
		    }
		}
	},
        "error":{
 		"properties":{
			"pid":{
				"type":"integer"
			},
			"level":{
				"type":"integer"
			},
			"msg":{
				"type":"string",
				"index":"not_analyzed"
			},
			"ctime":{
				"dynamic":true,
				"type":"long"
			},
			"interface":{
				"dynamic":true,			
				"type":"string",
				"index":"not_analyzed"
			},
			"para":{
				"dynamic":true,				
				"type":"string",
				"index":"not_analyzed"
			},
               		"chost": {
				"dynamic":true, 	         	    	
                  	    	"type": "ip"
                        },
			"message":{
				"type":"string",
				"index":"not_analyzed"
			}
		}
	}
    }
}

{
    "template": "media-info_*",
    "settings": {
        "index.number_of_shards": 5,
        "number_of_replicas": 1
    },
    "mappings": {
        "_default_": {
            "_all": {
                "enabled": "false"
            },
            "_source": {
                "enabled": true,
                "compress": true
            },
            "properties": {
                "_id": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "timestamp": {
                    "enabled": true,
                    "type": "date",
                    "format": "dateOptionalTime"
                },
                "host": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "appname":{
                    "type":"string",
                    "index":"not_analyzed"
		},
                "category":{
                    "dynamic":true,
                    "type":"string",
                    "index":"not_analyzed"
		}
            }
        },
	"info":{
		"properties":{
			"tid":{
				"type":"integer"
			},
			"info":{
				"type":"string",
				"index":"analyzed"
			}
		}

	},
	"error":{
		"properties":{
			"tid":{
				"type":"integer"
			},
			"info":{
				"type":"string",
				"index":"analyzed"
			}
		}

	},
	"LiveProgramList":{
		"properties":{
			"status":{
				"type":"string",
				"index":"not_analyzed"
			},
                        "info":{
				"type":"string",
				"index":"analyzed"
			}
		}
	}
    }
}

{
    "template": "nginx_*",
    "settings": {
        "index.number_of_shards": 5,
        "number_of_replicas": 1
    },
    "mappings": {
        "_default_": {
            "_all": {
                "enabled": "false"
            },
            "_source": {
                "enabled": true,
                "compress": true
            },
            "properties": {
                "_id": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "timestamp": {
                    "enabled": true,
                    "type": "date",
                    "format": "dateOptionalTime"
                },
                "host": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "message": {
                    "type": "string",
                    "index": "no"
                },
                "chost": {
                    "type": "ip",
                    "index": "not_analyzed"
                },
                "cgeo": {
                    "type": "object",
                    "properties": {
                        "country_name": {
                            "type": "string",
                            "index": "not_analyzed"
                        },
                        "real_region_name": {
                            "type": "string",
                            "index": "not_analyzed"
                        }
                    }
                }
		,
		"status":{
			"type":"integer"
		}
            }
        },
	"error":{
		"properties":{
		   "interval":{
			   "dynamic":true,
			   "type":"integer"
		   }
		}

	}
    }
}

{
    "template": "nginx_access_*",
    "settings" : {
        "number_of_shards" : 5,
        "number_of_replicas" : 1,
        "index" : {
            "query" : { "default_field" : "message" }
        }
    },
    "mappings": {
        "nginx_access": { 
            "_all": { "enabled": false },
            "_source": {
                "enabled": true,
                "compress": true
            },
            "dynamic_templates": [
                {
                    "string_template" : { 
                        "match" : "*",
                        "mapping": { "type": "string", "index": "not_analyzed" },
                        "match_mapping_type" : "string"
                     } 
                 }
             ],
            "properties" : {
                "@timestamp": { "type": "date", "format": "dateOptionalTime" },
                "fid" : { "type" : "string", "index" : "not_analyzed" },
                "filename" : { "type" : "string", "index" : "analyzed" },
                "host" : { "type" : "string", "index" : "analyzed" },
                "message" : { "type" : "string", "index" : "analyzed" },
                "referer" : { "type" : "string", "index" : "analyzed" },
                "request": { "type": "string", "index" : "analyzed" },
                "sentbytes" : { "type" : "long" },
                "status" : { "type" : "short" },
                "type" : { "type" : "string", "index" : "not_analyzed" },
                "user_agent" : { "type" : "string", "index" : "analyzed" },
                "userip" : { "type" : "string", "index" : "not_analyzed" },
                "uuid" : { "type" : "string", "index" : "not_analyzed" },
                "verb" : { "type" : "string", "index" : "not_analyzed" },
                "limitrate" : { "type" : "integer" },
                "nid" : { "type" : "short" },
                "payload" : { "type" : "string", "index" : "analyzed" },
                "sign" : { "type" : "string", "index" : "not_analyzed"},
                "urgid" : { "type" : "short" },
                "srgid" : { "type" : "short" },
                "srgids" : { "type" : "string", "index" : "analyzed" },
                "t" : { "type" : "string", "index" : "not_analyzed" },
                "geoip" : {
                    "dynamic" : true,
                    "path" : "full",
                    "properties" : {
                      "location" : {
                        "type" : "geo_point"
                      }
                    },
                    "type" : "object"
                }
            }
        }
    }
}

{
    "template": "res-monitor_*",
    "settings": {
        "index.number_of_shards": 5,
        "number_of_replicas": 1
    },
    "mappings": {
        "_default_": {
            "_all": {
                "enabled": "false"
            },
            "_source": {
                "enabled": true,
                "compress": true
            },
            "properties": {
                "_id": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "timestamp": {
                    "enabled": true,
                    "type": "date",
                    "format": "dateOptionalTime"
                },
                "host": {
                    "type": "string",
                    "index": "not_analyzed"
                }
	
            }
        },
	"VRB":{
		"properties":{
			"EpochTime":{
				"type":"string",
				"format":"not_analyzed"
			},
			"NodeId":{
				"type":"integer"
			},
			"CurrentConn":{
				"type":"integer"
			},
			"CurrentBandwidth":{
				"type":"integer"
			},
			"DiskTotalSpace":{
				"type":"long"
			},
			"DiskFreeSpace":{
				"type":"long"
			},
			"CpuUsage":{
				"type":"integer"
			},
			"MemUsage":{
				"type":"integer"
			},
			"WanUsage":{
				"type":"integer"
			},
			"LanUsage":{
				"type":"integer"
			},
			"IoUsage":{
				"type":"integer"
			},
			"LanIpState":{
				"type":"integer"
			},
			"WanIpState":{
				"type":"integer"
			}
		}

	},
	"ERR":{
		"properties":{
			"message":{
				"type":"string",
				"index":"not_analyzed"
			},
			"info":{
				"type":"string",
				"index":"not_analyzed"
			},
			"errInfo":{
				"type":"string",
				"index":"not_analyzed"
			}
		}
	},
	"WRN":{
		"properties":{
			"message":{
				"type":"string",
				"index":"not_analyzed"
			},
			"info":{
				"type":"string",
				"index":"not_analyzed"
			},
                        "errInfo":{
				"dynamic":true,
 				"type":"string",
 				"index":"not_analyzed"
			}
		}
	}
    }
}

{
    "template": "router_*",
    "settings": {
        "index.number_of_shards": 5,
        "number_of_replicas": 1
    },
    "mappings": {
        "_default_": {
            "_all": {
                "enabled": "false"
            },
            "_source": {
                "enabled": true,
                "compress": true
            },
            "properties": {
                "_id": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "timestamp": {
                    "enabled": true,
                    "type": "date",
                    "format": "dateOptionalTime"
                },
                "host": {
                    "type": "string",
                    "index": "not_analyzed"
                },
		"chost":{
			"type":"ip",
			"index":"not_analyzed"
		},
		"isThirdCDN":{
			"type":"boolean"
		},
		"requestPolicyID":{
			"type":"integer"
		},
		"rateLimited":{
			"type":"long"
		}
            }
        },
	"ok":{
		"properties":{
	           "requestURL":{
			   "type":"string",
			   "index":"not_analyzed"
		   },
                   "requestServer":{
                            "type":"ip",
                            "index":"not_analyzed"
			},
                   "fileLoc":{
                             "type":"string",
                             "index":"not_analyzed"
			}
		}
	},
        "error":{
 		"properties":{
			 "description":{
				"type":"string",
				"index":"not_analyzed"
			    }

		}
	}
    }
}

{
    "template": "routerdll_*",
    "settings": {
        "index.number_of_shards": 5,
        "number_of_replicas": 1
    },
    "mappings": {
        "_default_": {
            "_all": {
                "enabled": "false"
            },
            "_source": {
                "enabled": true,
                "compress": true
            },
            "properties": {
                "_id": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "timestamp": {
                    "enabled": true,
                    "type": "date",
                    "format": "dateOptionalTime"
                },
                "host": {
                    "type": "string",
                    "index": "not_analyzed"
                }
            }
        },
	"ERR":{
		"properties":{
			"info":{
			 "type":"string",
			 "index":"not_analyzed"
			},
			"fid":{
				"type":"string",
				"index":"not_analyzed"
			},
			"uip":{
				"type":"ip",
				"index":"not_analyzed"
			},
			"pno":{
				"type":"integer"
			},
			"msec":{
				"type":"float"
			},
			"statusDesc":{
				"type":"string",
				"index":"not_analyzed"
			},
			"errInfo":{
				"type":"string",
				"index":"not_analyzed"
			},
			"userRegionId":{
				"type":"integer"				
			},
			"svcRegionIds":{
				"type":"string",
				"index":"not_analyzed"
			},
			"hasFileNodeIds":{
				"type":"string",
				"index":"not_analyzed"
			},
			"routeType":{
				"type":"string",
				"index":"not_analyzed"
			},
			"isTestSpeed":{
				"type":"boolean"
			},
			"lastSvrIps":{
				"type":"string",
				"index":"not_analyzed"

			}
		}
	}
    }
}

{
    "template": "statout_*",
    "settings": {
        "index.number_of_shards": 5,
        "number_of_replicas": 1
    },
    "mappings": {
        "_default_": {
            "_all": {
                "enabled": "false"
            },
            "_source": {
                "enabled": true,
                "compress": true
            },
            "properties": {
                "_id": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "timestamp": {
                    "enabled": true,
                    "type": "date",
                    "format": "dateOptionalTime"
                },
                "host": {
                    "type": "string",
                    "index": "not_analyzed"
                },
		"info":{
			"type":"string",
			"index":"not_analyzed"
		}
	
            }
        }
    }
}

 

转载于:https://my.oschina.net/xiaohelong/blog/895864

weixin_34232363
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
logstash 采集log4j日志配置文件
07-27
logstash采集log4j日志发送到es配置文件,可以把日志根据日志级别区分开,一个级别一条日志是es中的一条数据
2021-11-01Logstash关于日志清洗记录学习及应用
weixin_52116589的博客
11-01 1078
logstash日志清洗: 公司目前给我日志清洗任务,给了我乱七八糟资料之后看的一脸懵,最后决定自己动手整理整理这样有头绪点,记录一下自己学习过程。其中涉及到一些ip内容的我都改为ip,其他保持一致,欢迎大家一起讨论,我也是刚开始学习这个,如有写的不对请多指教。 一、学习阶段 1、首先理解logstash中各个语法: 事件:Logstash 每读取一次数据的行为叫做事件。 1)**Input:**输入插件,允许一个特定的事件源可以读取到 Logstash 管道中。 支持多种数据源:stdin,file,tc
logstash常见数据清洗配置
舒克的博客
06-29 2100
ogstash通过插件的形式来配置input,filter,output,在消费数据后,如果需要对数据做处理,需要用到filter的很多功能。最近使用logstash传递kafka数据到es时,了解了一些logstash处理数据的方式,以下logstash的config做个简单分享: input { kafka { bootstrap_servers => "xxx.xxx.xxx.xx:9092,yyy.yyy.yyy.yy:9092," ##kafka地址,可以是集群 ...
logstash采集与清洗数据到elasticsearch案例实战
我的博客
10-28 9453
logstash 的使用 logstash支持把配置写入文件 xxx.conf,然后通过读取配置文件来采集数据 ./bin/logstash –f xxx.conf   logstash最终会把数据封装成json类型,默认会添加@timestamp时间字段、host主机字段、type字段。原消息数据会整个封装进message字段。如果数据处理过程中,用户解析添加了多个字段,则最终结果又会多
Logstash的filter插件介绍
qq_29860591的博客
12-02 642
一 官网说明 过滤器插件对事件执行中介处理。通常根据事件的特征有条件地应用过滤器。 以下过滤器插件在下面可用。 Plugin Description Github repository aggregate Aggregates information from several events originating with a single task lo...
logstash默认timestamp时间戳值修改为日志中提取的时间
Zhang Phil
06-12 2580
logstash中的timestamp时间戳时间由logtash在采集到日志时间时候自动设置,有些时候,需要把这个默认的timestamp时间修改为日志数据中提取到的时间,使两者一致。可以通过配置文件实现: 上述配置的grok将匹配每一行日志中开始的[]里面的数据作为时间放入到logtime中,然后在date里面,将按照yyyy-MM-dd HH:mm:ss.SSS的日期时间格式把时间最终覆盖系统默认的timestamp中。也可以通过ruby代码实现把自己提取到的日志时间作为系统默认的时间戳:...
基于logstash实现日志文件同步elasticsearch
09-16
综上所述,通过上述步骤,我们不仅了解了如何配置Logstash来同步日志文件到Elasticsearch,还学习了如何通过示例脚本来生成模拟数据,并最终验证了数据的完整性和准确性。这对于实际应用中的日志管理与分析具有重要...
Spring Boot 使用 logback、logstash、ELK 记录日志文件的方法
08-28
8. 配置文件可以处理不同的情况:开发人员经常需要判断不同的 Logback 配置文件在不同的环境下(开发,测试,生产)。 9. Filters(过滤器):有些时候,需要诊断一个问题,需要打出日志。在 log4j,只有降低日志...
logstash配置文件
07-27
一个简单的Logstash配置文件可能如下所示,它从一个日志文件中读取数据,解析日志,然后将结果发送到Elasticsearch: ```ruby input { file { path => ["/var/log/myapp/*.log"] start_position => "beginning" ...
Logstash对nginx的access/error.log日志清洗并数据可视化监控设计
weixin_34128237的博客
05-15 2175
Nginx有两套日志,一套access.log一套error.log,access.log用户可以自定义,两套日志处理好,业务的质量就了然于心了,另外,日志关键指标可视化分析我认为是运维中最重要的事情了,没有之一。对于后期的可视化监控,核心观点两个字“收敛”,工具用grafana,把最有用的关键指标放到dashboard上,我线上设计的一个版面如下,由于日志量大,200 ok...
Android地理寻宝软件cgeo.zip
07-17
cgeo 是 Android 设备上一个简单而又强大的非官方地理寻宝客户端。与其他类似应用不同的是,cgeo 不需要 Web 浏览器,也不需要文件输出。你可以在毫无准备的情况下,毫无后顾之忧地带上你的智能手机去进行地理寻宝。当然,你也不需要付钱,因为它是免费的。 标签:cgeo
Android代码-cgeo
08-06
c:geo is an open source, full-featured, always ready-to-go client for geocaching.com (unofficial) and offers basic support for other geocaching platforms. It does not require a web browser or exports - just download and start right away. You want to contribute? Perfect! Please tell us in the issue tracker before hacking on your great new feature. It would be bad if you have implemented something great, but we can't include it because it doesn't fit the remaining architecture and code. You might
自制寻宝游戏.doc
02-01
游戏设计课大作业,自制寻宝游戏。游戏规则:玩家拾取宝石赚取积分,小鬼碰撞玩家消耗积分,玩家拾取武器,攻击小鬼赚取积分;玩家有5条生命,被僵尸砍到,则会减少生命;玩家探寻宝箱,当打开正确宝箱,出现卷轴时,则玩家胜利,否则,积分消耗完或者生命消耗完,则算玩家输。
利用Python中的pandas库对cdn日志进行分析详解
09-21
主要介绍了利用Python中的pandas库进行cdn日志分析的相关资料,文中分享了pandas对cdn日志分析的完整示例代码,然后详细介绍了关于pandas库的相关内容,需要的朋友可以参考借鉴,下面来一起看看吧。
logstash配置简单说明
xuegaoxuegao的博客
02-26 781
Logstash:收集、解析和转换日志 | Elastic 接上文filebeat配置简单说明_xuegaoxuegao的博客-CSDN博客 日志采集推给logstash后,需要针对自己的需求做对应处理. input { beats { port => 9901 } } filter { #根据logstash接受的数据中 fileds字段下的logType来判断,采取不同策略 if [fields][logtype] == "newApp" {...
Logstash~filter.grok插件使用教程(附带实例)
feizuiku0116的博客
04-26 1666
->->grok在线测试网站-<-< ->->grok官方匹配模式-<-< ->->正则表达式官方语法-<-< 一、grok介绍 描述任意文本并对其进行结构化 将非结构化日志数据解析为结构化和可查询的数据 语法:%{SYNTAX:SEMANTIC} SYNTAX:要匹配的模式名称 SEMANTIC:为匹配的文本提供的标识符 二、match:匹配 1.常规匹配 按照%{SYNTAX:SEMANTIC}语法进行匹配,将SYNTAX
logstash修改字段类型
weixin_39318540的博客
08-24 1583
logstash 中可以设置字段的类型为integer,string,float,boolean filter { grok { match => {"message" => "(?<client_ip>%{USERNAME}) - - \[(?<time>[0-9a-zA-Z/: +]+)\] \"%{NOTSPACE:method} %{NOTSPACE:url} %{NOTSPACE}[\"] %{INT:status} %{INT} [\"]%{USE.
Logstash Grok详解
热门推荐
叱咤少帅的博客
03-18 1万+
介绍 Logstash的Grok 可以使蹩脚的、无结构的日志内容结构化 需要注意的地方 grok 模式是正则表达式,因此这个插件的性能受到正则表达式引擎严重影响,效率并不高。如果通过给定的匹配格式匹配不上会Kibana查询的时候打上tag 为 grok failed 的标签 语法详解 grok模式的语法如下: %{SYNTAX:SEMANTIC} SYNTAX:代表匹配值的类型,例如3.44可以...
logstash过滤阿里云cdn日志
xp的博客
03-27 288
aliyun cdn日志样例 [26/Feb/2019:09:22:26 +0800] 111.206.221.2 - 169 “https://www.baidu.com/” “GET https://www.baidu.com/js/lib/swiper.jquery.min.js?20190221” 200 749 91127 HIT “Mozilla/5.0 (iPhone; CPU i...
logstash收集日志文件配置
最新发布
05-24
以下是一个简单的 Logstash 配置文件示例,用于收集指定目录下的所有日志文件: ``` input { file { path => "/path/to/logs/*" start_position => "beginning" } } filter { # 在这里添加需要的过滤器,例如...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值