Logstash学习之路(三)Logstash处理时区、类型转换、删除字段的案例配置
#输入
input {
file {
path => ["文件路径"]
#自定义类型
type => "自定义"
start_position => "beginning"
}
}
#过滤器
filter{
#去除换行符
mutate{
gsub => [ "message", "\r", "" ]
}
#逗号分割
mutate {
split => ["message",","]
}
#分割后,字段命名与赋值
mutate{
add_field => {
"id" => "%{[message][0]}"
"cc" => "%{[message][5]}"
"bcc" => "%{[message][6]}"
"from_user" => "%{[message][7]}"
"size" => "%{[message][8]}"
"attachments" => "%{[message][9]}"
"content" => "%{[message][10]}"
}
}
#字段里的日期识别,以及时区转换,生成date
date {
match => [ "mydate", "MM/dd/yyyy HH:mm:ss" ]
target => "date"
locale => "en"
timezone => "+00:00"
input {
file {
path => ["文件路径"]
#自定义类型
type => "自定义"
start_position => "beginning"
}
#过滤器
filter{
#去除换行符
mutate{
gsub => [ "message", "\r", "" ]
#逗号分割
split => \["message",","\]
}
#分割后,字段命名与赋值
mutate{
"id" => "%{\[message\]\[0\]}"
"user" => "%{\[message\]\[2\]}"
"pc" => "%{\[message\]\[3\]}"
"cc" => "%{\[message\]\[5\]}"
"bcc" => "%{\[message\]\[6\]}"
"from\_user" => "%{\[message\]\[7\]}"
"attachments" => "%{\[message\]\[9\]}"
"content" => "%{\[message\]\[10\]}"
}
}
#字段里的日期识别,以及时区转换,生成date
date {
match => \[ "mydate", "MM/dd/yyyy HH:mm:ss" \]
target => "date"
timezone => "+00:00"
}
#删除无用字段
mutate {
remove\_field => "message"
remove\_field => "mydate"
remove\_field => "@version"
remove\_field => "host"
remove\_field => "path"
}
#将两个字段转换为整型
mutate{
convert => { "size" => "integer" }
convert => { "attachments" => "integer" }
} }
#输出,输出目标为es
output {
#stdout { codec => rubydebug }
elasticsearch {
#目标主机
host => ["目标主机1","目标主机2"]
#协议类型
protocol => "http"
#索引名
index =>"自定义"
#type
document_type=>"自定义" }
}
手机扫一扫
移动阅读更方便
你可能感兴趣的文章