0

我有这个配置文件

input {
    file {
        path => ["/var/log/notifications/some.log"]
        type => 'some'
    }

   file {
       path => ["/var/log/somenotifications/somenotification.log"]
       type => 'notification'
   }

   file {
        path => ["/var/log/somenotifications/application.log.201607*", "/var/log/somenotifications/application.log.201608*", "/var/log/somenotifications/application.log.201609*"]
        exclude => ["/var/log/somenotifications/application.log.201607*.gz", "/var/log/somenotifications/application.log.201608*.gz", "/var/log/somenotifications/application.log.201609*.gz"]
        type => 'old'
        start_position => beginning
        sincedb_path => "/dev/null"
   }

   file {
         path => ["/var/log/somenotifications/someapplication.log"]
         type => "application"
    }
}

filter {
     if [type] == "some" {
          grok {
                match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} \| \"%{WORD:msisdn}\" \"%{WORD:operator}\" \"%{URI:page}\" \"%{DATA:affpartner}\"" }
          }
     }

     if [type] == "notification" {
          grok {
                match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} \| \"%{WORD:service}\" \"%{WORD:transactionId}\" \"%{WORD:subsId}\" \"%{WORD:status}\" \"%{WORD:errorCode}\" \"%{WORD:errorDescription}\" \"%{WORD:billingType}\" \"%{WORD:affpartner}\" \"%{WORD:operatorId}\""}
          }
     }

     if [type] == "application" or [type] == "old" or [type] == "payment" or [type] == "subscribe" {
             grok {
                 match => {"message" => "%{SYSLOG5424SD:timestamp} notifications.DEBUG: >>>>>>>> %{WORD:method} %{URIPATH}%{URIPARAM:params}"}
             }
             kv {
                 field_split => "&"
                 source => "params"
             }
             mutate {
                add_field => {
                     "payout_c" => "%{payout}"
                }
                convert => { "payout_c" => "float" }
             }
      }

    date {
       match => [ "timestamp", "[yyyy-MM-dd HH:mm:ss]" ]
       target => "@timestamp"
       locale => "en"
    }
}

output {
    if [type] == "payment" or [type] == "subscribe" or [type] == "application" or [type] == "old" {
        if "_grokparsefailure" not in [tags] {
            elasticsearch {
                hosts => ["localhost:9200", "otherhost:9200", "otherhost2:9200"]
                index => "notifications-sent"
            }
        }
    } else {
        if [type] != "old" {
            elasticsearch {
                hosts => ["localhost:9200", "otherhost:9200", "otherhost2:9200"]
            }
        }
    }
}

不明白为什么我在弹性搜索中只看到 7 月 1 日和 8 月 1 日文件的通知。没有任何意义:(问题在于文件类型“旧”,其他文件解析效果很好

4

0 回答 0