我正在尝试将来自不同应用程序的日志分成各自的索引。这是我正在尝试的:
filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- "/opt/logs/filebeat_test_1.log"
fields:
application: "APP_TEST_1"
type: "logs1"
- type: log
enabled: true
paths:
- "/opt/logs/filebeat_test_2.log"
fields:
application: "APP_TEST_2"
type: "logs2"
output.logstash:
hosts: ["logstash:5044"]
logstash.conf
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => "es-ingest:9200"
index => "%{[fields.application]}-%{[beat.version]}-%{+yyyy.MM.dd}"
}
}
但是,我没有得到预期的指数。这是将来自不同应用程序的不同日志拆分成各自索引的正确方法吗?任何帮助表示赞赏。
尝试:
input {
beats {
port => 5044
}
}
filter{
if "APP_TEST_1" in [application] {
mutate {
add_field => { "[@metadata][index]" => "%{[application]}-%{[beat.version]}-%{+yyyy.MM.dd}"
}
}
}
else if "APP_TEST_2" in [application] {
mutate {
add_field => { "[@metadata][index]" => "%{[application]}-%{[beat.version]}-%{+yyyy.MM.dd}"
}
}
}
}
output {
elasticsearch {
hosts => "es-ingest"
index => "%{[@metadata][index]}"
}
}