logstash操作用例

input {                                      #日志数据输入来源log4j
    log4j {
        host => "10.104.112.175"
        port => 4561
                type => "simple"
    }
    log4j {
        host => "10.104.112.175"
        port => 4560
                type => "detail"
    }
}

filter {                                      #logstash过滤器
    if [type] == "simple" {
        mutate{
                 split => ["message","|"]     #按 | 进行split切割message
                        add_field =>   {
                                "requestId" => "%{[message][0]}"
                        }
                        add_field =>   {
                                "timeCost" => "%{[message][1]}"
                        }
                        add_field =>   {
                                "responseStatus" => "%{[message][2]}"
                        }
						add_field =>   {
                                "channelCode" => "%{[message][3]}"
                        }
						add_field =>   {
                                "transCode" => "%{[message][4]}"
                        }
        }
		mutate {
			convert => ["timeCost", "integer"]  #修改timeCost字段类型为整型
		}
    } else if [type] == "detail" {
		grok{
			match => {             #将message里面 TJParam后面的内容,分隔并新增为ES字段和值
				"message" => ".*TJParam %{PROG:requestId} %{PROG:channelCode} %{PROG:transCode}"
			}
		}
		grok{
			match => { 
				"message" => "(?(.*)(?=TJParam)/?)"  #截取TJParam之前的字符作为temMsg字段的值
				remove_field => ["message"]		     #删除字段message
			}
		}
		mutate {
			rename => {"temMsg" => "message"}		     #重命名字段temMsg为message
		}
    }
}

output {#日志输出目的地ES库

    elasticsearch {
                action => "index"
        hosts => "10.104.112.175:9200"
        index => "supergwlog--%{+YYYY-MM}"
    }

}

 

你可能感兴趣的:(logstash)