logstash处理多个beats文件

多个beats文件

实战

cat /wj/zabbix/apitime.log
2019-03-20 00:44:33 0.25475

cat /wj/zabbix/err_api.log
2019-03-20 00:44:33 {"code":1,"message":"Token Expire","data":null}

filebeat设置

filebeat.inputs:
- input_type: log
  paths:
    - /wj/zabbix/apitime.log
  type: "api_time"
  fields:
    #logsource: 192.168.0.87
    logtype: api_time
- input_type: log
  paths:
    - /wj/zabbix/err_api.log
  type: "err_api"
  fields:
    #logsource: 192.168.0.87
    logtype: err_api
    
output.logstash:
  hosts: ["192.168.0.87:5044"]

logstash设置

input {
    beats {
        port => "5044"
        #host => "192.168.0.87"
    }
}
filter {
    if [fields][logtype] == "api_time" {
        grok {
            match => { "message" => "%{TIMESTAMP_ISO8601:date1} %{WORD:time1}" }
        }
    }
    if [fields][logtype] == "err_api" {
        grok {
             match => { "message" => "%{TIMESTAMP_ISO8601:date2} %{GREEDYDATA:log_json}" }
        }
        json {
            source => "log_json"
            target => "log_json_content"
            remove_field => ["log_json"]
        }
    }
}
output {
    if [fields][logtype] == "api_time" {
        elasticsearch {
            hosts => "192.168.0.87:9200"
            index => "api_time-%{+YYYY.MM.dd}"
        }
    }
    if [fields][logtype] == "err_api" {
        elasticsearch {
            hosts => "192.168.0.87:9200"
            index => "err_api-%{+YYYY.MM.dd}"
        }
    }
}