我有这个配置文件
input {
file {
path => ["/var/log/notifications/some.log"]
type => 'some'
}
file {
path => ["/var/log/somenotifications/somenotification.log"]
type => 'notification'
}
file {
path => ["/var/log/somenotifications/application.log.201607*", "/var/log/somenotifications/application.log.201608*", "/var/log/somenotifications/application.log.201609*"]
exclude => ["/var/log/somenotifications/application.log.201607*.gz", "/var/log/somenotifications/application.log.201608*.gz", "/var/log/somenotifications/application.log.201609*.gz"]
type => 'old'
start_position => beginning
sincedb_path => "/dev/null"
}
file {
path => ["/var/log/somenotifications/someapplication.log"]
type => "application"
}
}
filter {
if [type] == "some" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} \| \"%{WORD:msisdn}\" \"%{WORD:operator}\" \"%{URI:page}\" \"%{DATA:affpartner}\"" }
}
}
if [type] == "notification" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} \| \"%{WORD:service}\" \"%{WORD:transactionId}\" \"%{WORD:subsId}\" \"%{WORD:status}\" \"%{WORD:errorCode}\" \"%{WORD:errorDescription}\" \"%{WORD:billingType}\" \"%{WORD:affpartner}\" \"%{WORD:operatorId}\""}
}
}
if [type] == "application" or [type] == "old" or [type] == "payment" or [type] == "subscribe" {
grok {
match => {"message" => "%{SYSLOG5424SD:timestamp} notifications.DEBUG: >>>>>>>> %{WORD:method} %{URIPATH}%{URIPARAM:params}"}
}
kv {
field_split => "&"
source => "params"
}
mutate {
add_field => {
"payout_c" => "%{payout}"
}
convert => { "payout_c" => "float" }
}
}
date {
match => [ "timestamp", "[yyyy-MM-dd HH:mm:ss]" ]
target => "@timestamp"
locale => "en"
}
}
output {
if [type] == "payment" or [type] == "subscribe" or [type] == "application" or [type] == "old" {
if "_grokparsefailure" not in [tags] {
elasticsearch {
hosts => ["localhost:9200", "otherhost:9200", "otherhost2:9200"]
index => "notifications-sent"
}
}
} else {
if [type] != "old" {
elasticsearch {
hosts => ["localhost:9200", "otherhost:9200", "otherhost2:9200"]
}
}
}
}
不明白为什么我在弹性搜索中只看到 7 月 1 日和 8 月 1 日文件的通知。没有任何意义:(问题在于文件类型“旧”,其他文件解析效果很好