论坛 › ELK › Logstash输出日志到elasticsearch

45332 发表于 2016-8-1 09:22:38

Logstash输出日志到elasticsearch

Logstash配置文件
# vim useTime.conf
input {
    stdin{}
}
filter {
    grok {
      match => {
            "message" =>"\s+(?<API>调用.*(用时|异常)).*useTime=(?<request_time>\d+?)$"
      }
    }
}
output {
    stdout{
      codec => rubydebug
    }
elasticsearch {
      hosts =>["192.168.81.128:9200"]
      index =>"logstash-%{type}-%{+YYYY.MM.dd}"
      document_type => "%{type}"
      workers => 1
      template_overwrite => true
    }
}
#

测试对应的日志
[] impl.GzClientServiceImpl.exec:234 - 调用gz(广州银行)用时,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=251
[] impl.GzClientServiceImpl.exec:234 - 调用gz(广州银行)异常,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=2510

测试结果
# /opt/logstash-2.3.4/bin/logstash -f useTime.conf
Settings:Default pipeline workers: 1
Pipeline mainstarted
[] impl.GzClientServiceImpl.exec:234 - 调用gz(广州银行)用时,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=251
{
         "message" => " [] impl.GzClientServiceImpl.exec:234 - 调用gz(广州银行)用时,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=251",
      "@version" =>"1",
      "@timestamp" =>"2016-07-31T01:28:26.910Z",
            "host" =>"0.0.0.0",
             "API" => "调用gz(广州银行)用时",
    "request_time" =>"251"
}
[] impl.GzClientServiceImpl.exec:234 - 调用gz(广州银行)异常,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=2510
{
         "message" => " [] impl.GzClientServiceImpl.exec:234 - 调用gz(广州银行)异常,URL=http://172.31.8.122:7040/corbankexpress/httpAccess,useTime=2510",
      "@version" =>"1",
      "@timestamp" =>"2016-07-31T01:28:47.205Z",
            "host" =>"0.0.0.0",
             "API" => "调用gz(广州银行)异常",
    "request_time" =>"2510"
}
查看elasticsearch状态

查看完整版本: Logstash输出日志到elasticsearch