[log]logstash新增欄位.geoip展示
阿新 • • 發佈:2019-02-07
add_field
配置檔案
input{
file{
add_field => {"testfield"=>"testfield"}
path => ["/tmp/a.txt"]
type => "a-txt"
}
}
output{
if [type] == "a-txt"{
elasticsearch{
hosts => ["192.168.6.104:9200"]
index => "a-txt-%{+YYYY-MM-dd}"
}
stdout { codec => rubydebug }
}
}
測試:
echo 4 >> a.txt
echo 5 >> a.txt
輸出
{
"path" => "/tmp/a.txt",
"@timestamp" => 2017-09-17T02:40:20.327Z,
"@version" => "1",
"host" => "no104.p100.net",
"message" => "4",
"type" => "a-txt",
"testfield" => "testfield"
}
{
"path" => "/tmp/a.txt",
"@timestamp" => 2017-09-17T02:40:23.336Z,
"@version" => "1",
"host" => "no104.p100.net",
"message" => "5",
"type" => "a-txt",
"testfield" => "testfield"
}
多個tag
給日誌打tag
輸出
{
"path" => "/tmp/a.txt",
"@timestamp" => 2017-09-17T03:01:31.771Z,
"@version" => "1",
"host" => "no104.p100.net",
"message" => "10",
"type" => "a-txt",
"testfield" => "testfield",
"tags" => [
[0] "mytag"
]
}
kibana展示
多個tag
輸出
{
"path" => "/tmp/a.txt",
"@timestamp" => 2017-09-17T03:11:18.462Z,
"@version" => "1",
"host" => "no104.p100.net",
"message" => "11",
"type" => "a-txt",
"testfield" => "testfield",
"tags" => [
[0] "mytag",
[1] "mytag2",
[2] "mytag3"
]
}
kibana展示
配置:
[root@no104 logstash]# cat all.conf
input{
file{
add_field => {"testfield"=>"testfield"}
path => ["/tmp/a.txt"]
type => "a-txt"
start_position => "beginning"
tags => ["mytag","mytag2","mytag3"]
}
}
output{
if [type] == "a-txt"{
elasticsearch{
hosts => ["192.168.6.104:9200"]
index => "a-txt-%{+YYYY-MM-dd}"
}
stdout { codec => rubydebug }
}
}
geoip的配置
[root@no104 conf]# cat getip.conf
input{
file{
type => "tomcat-access"
path => ["/data/tomcat/logs/tomcat_access_log.*.log"]
start_position => "beginning"
codec => "json"
}
}
filter{
if[type] == "tomcat-access" {
geoip {
source => "clientip" ##過濾內容來源
target => "geoip" ##屬性設定值
database => "/data/es/conf/GeoLite2-City_20170905/GeoLite2-City.mmdb" ##地圖載入路徑
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] ##欄位增加緯度
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] ##欄位增加經度
}
mutate {
convert => [ "[geoip][coordinates]", "float"] ##將經度緯度資訊轉變為座標,型別為float型
}
}
}
output{
elasticsearch{
hosts => ["192.168.6.104:9200"]
index => "logstash-tomcat-access-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}