logstash 配置文件案例

input {
        file {
                path => "/opt/*.log"
                start_position => "beginning"

        }
}

filter {
        grok {
#               patterns_dir => ['/usr/local/logstash/pattern/postfix']
                match => {
                "message" => "(?.*?[0-9]{6}[.][0-9]{3}\[main\])(?.*?:)(?[0-9]{8})(?.*)"                
               }
        }
        mutate {

        split => ["success_info",":"]
        add_field => {"success_message" => "%{success_info[0]}"}
        add_field => {"finish_time" => "%{@timestamp}"}
        remove_field => "success_info"
        remove_field => "message"
        }
#丢弃所有解析失败的行
        if "_grokparsefailure" in [tags]{
                drop { }
        }

}

output {
        stdout {
                codec => rubydebug
        }
        elasticsearch {
                index => "ods_log_monitor"
                hosts => ["192.168.26.133:9200"]
        }
}

启动logstash

/usr/local/logstash/bin/logstash -f /usr/local/logstash/grok2.conf --config.reload.automatic
#--config.reload.automatic 当配置文件改动时自动加载最新的配置