試過各種方法,最終存儲到es,發現在grok定義的變量%{}無法在后面獲取,最終es索引中只有一個message,沒有clientip、ident、auth之類變量,但是網上看到別人的都可以存儲input{file{path=>"/var/tomcat8/logs/vg_access_log*.txt"sincedb_path=>"/usr/local/logstash/etc/sincedb_tomcat_log.txt"type=>"tomcat_log"add_field=>{"tomcatip"=>"xxx"}}}filter{if[type]=="tomcat_log"{grok{match=>{"message"=>"%{IPORHOST:clientip}%{USER:ident}%{USER:auth}\[%{HTTPDATE:timestamp}\]\"(?:%{WORD:verb}%{URIPATHPARAM:request}(?:HTTP/%{NUMBER:httpversion})?|-)\"%{NUMBER:response}(?:%{NUMBER:bytes}|-)%{NUMBER:responsetime}\"(?:%{URI:referrer}|-)\"%{QS:agent}"}}kv{source=>"request"field_split=>"&?"value_split=>"="}date{match=>["timestamp","dd/MMM/yyyy:HH:mm:ssZ"]target=>["writetime"]}mutate{convert=>{"response"=>"integer""bytes"=>"integer""responsetime"=>"integer"}}}}output{if[type]=="tomcat_log"{elasticsearch{hosts=>["xxx:9200"]index=>"tomcat-log-%{+YYYY.MM.dd}"}}}
logstash無法獲取變量
瀟瀟雨雨
2019-05-25 17:55:40
