我正在尝试仅使用 filebeat 和处理器来解析自定义日志。我不想使用 Logstash 和管道。
下面是一个日志样本:
TID: [-1234] [] [2021-08-25 16:25:52,021] INFO {org.wso2.carbon.event.output.adapter.logger.LoggerEventAdapter} - Unique ID: Evento_Teste, Event: {"event":{"host":"example.com","server":"WSO2 API Manager"}}
然后,我需要获取日期2021-08-25 16:25:52,021
并将其设为我的 _doc 时间戳,并获取并将其设为Event
我的message
.
经过多次尝试,我只能使用以下配置来剖析日志:
filebeat.inputs:
- type: log
enabled: true
paths:
- /tmp/a.log
processors:
- dissect:
tokenizer: "TID: [-1234] [] [%{@timestamp}] INFO {org.wso2.carbon.event.output.adapter.logger.LoggerEventAdapter} - Unique ID: Evento_Teste, Event: %{event}"
field: "message"
output.console:
pretty: true
并获得以下输出:
{
"@timestamp": "2021-08-25T19:58:00.525Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "7.12.1"
},
"input": {
"type": "log"
},
"dissect": {
"@timestamp": "2021-08-25 16:25:52,021",
"event": "{\"event\":{\"host\":\"example.com\",\"server\":\"WSO2 API Manager\"}}"
},
"host": {
"name": "dtrsrvhomapim301"
},
"agent": {
"ephemeral_id": "1555da2b-234f-444e-a0fe-42b49fb73b38",
"id": "1b43e769-87be-4087-9876-70281ceb3cf5",
"name": "dtrsrvhomapim301",
"type": "filebeat",
"version": "7.12.1",
"hostname": "dtrsrvhomapim301"
},
"ecs": {
"version": "1.8.0"
},
"log": {
"offset": 0,
"file": {
"path": "/tmp/a.log"
}
},
"message": "TID: [-1234] [] [2021-08-25 16:25:52,021] INFO {org.wso2.carbon.event.output.adapter.logger.LoggerEventAdapter} - Unique ID: Evento_Teste, Event: {\"event\":{\"host\":\"example.com\",\"server\":\"WSO2 API Manager\"}}"
}
我不知道如何制作dissect.@timestamp
as my @timestamp
,以及如何将 as 解析dissect.event
为 json 并将其制作为 my message
。
那些怎么能做到?