0

我正在尝试为每个输入日志文件创建索引。这是我的logstash配置:

input {
    beats {
        port => "5044"
    }
    file{
        path => "/home/centos/logs/mylogs.log"
        id => "mylog"
    }
    file{
        path => "/home/centos/logs/syslog.log"
        id => "syslog"
    }
}
filter {
}
output {
    if [id] == "mylog" {
        elasticsearch {
            hosts => [ "10.206.81.246:9200", "10.206.81.236:9200", "10.206.81.243:9200" ]
            user => "Test"
            password => "123456"
            index => "mylog-%{+YYYY.MM.dd}-%{id}"
        }
    }
    else if [id] == "syslog" {
        elasticsearch {
            hosts => [ "10.206.81.246:9200", "10.206.81.236:9200", "10.206.81.243:9200" ]
            user => "Test"
            password => "123456"
            index => "syslog-%{+YYYY.MM.dd}-%{id}"
        }
    }
}

我不明白如何根据路径创建单独的输入。我尝试%{id}%{[id]}or替换,%{+[id]}但它不起作用。也试过用typeor tags,结果是一样的。我刚刚创建了这个索引

mylog-2018.01.22-%{[id]}
mylog-2018.01.22-%{type}
mylog-2018.01.22-{id}

甚至可以为每个日志文件创建单独的索引吗?如果是,如何配置?我对文档或thisthis进行了一些研究。没有什么对我有用。

编辑:
Kibana 记录的输出:

@timestamp      January 22nd 2018, 10:04:40.799
t @version      1
t _id       HwYcHWEB0LbLyxQz0EnW
t _index        syslog-2018.01.22
# _score        2
t _type     doc
t beat.hostname     filebeat-prod-fileabeat1.myname.osdc1.company.local
t beat.name     filebeat-prod-fileabeat1.myname.osdc1.company.local
t beat.version      6.1.1
t bytes     138
t client        12.4.14.27
t duration      0.23
t host      filebeat-prod-fileabeat1.myname.osdc1.company.local
t message       12.4.14.27 abcd /index.html 138 0.23
t method        abcd
# offset        379,156
t prospector.type       log
t request       /index.html
t source        /home/centos/logs/mylogs.log
t tags      beats_input_codec_plain_applied
4

0 回答 0