logstash配置索引的时候,可以直接引用filebeat变量,这样不用每一个索引都创建。可以查看下面的output
input {
beats {
host => "0.0.0.0"
port => 5043
}
}
filter {
if [type] == "kube-logs" {
mutate {
rename => ["log", "message"]
}
date {
match => ["time", "ISO8601"]
remove_field => ["time"]
}
grok {
match => {
"source" => "/var/log/containers/%{DATA:pod_name}_%{DATA:namespace}_%{GREEDYDATA:container_name}-%{DATA:container_id}.log"}
match => {
"message" => "%{DATA:log_date} %{TIME:log_localtime} %{WORD:log_type} %{JAVAFILE:log_file} - %{WORD:method} %{URIPATHPARAM:uri} %{NUMBER:status:int} %{NUMBER:size:int} %{NUMBER:response_time:int}"}
remove_field => ["source"]
break_on_match => false
}
}
}
output {
elasticsearch {
hosts => "${ES_URL}"
manage_template => false
index => "%{[fields][log_source]}-%{+YYYY.MM.dd}"
}
}
原文链接:logstash用变量添加索引,转载请注明来源!