{"id":1609,"date":"2022-05-03T20:24:47","date_gmt":"2022-05-03T12:24:47","guid":{"rendered":"https:\/\/www.buyao007.icu\/?p=1609"},"modified":"2022-05-07T21:21:57","modified_gmt":"2022-05-07T13:21:57","slug":"4-logstash%e6%97%a5%e5%bf%97%e5%a4%84%e7%90%86","status":"publish","type":"post","link":"https:\/\/www.buyao007.icu\/?p=1609","title":{"rendered":"4.Logstash\u65e5\u5fd7\u5904\u7406\u5feb\u901f\u5165\u95e8"},"content":{"rendered":"\n

\u5b59\u5bcc\u9633\uff0c \u6c5f\u6e56\u4eba\u79f0\u6ca1\u4eba\u79f0\u3002\u591a\u5e74\u4e92\u8054\u7f51\u8fd0\u7ef4\u5de5\u4f5c\u7ecf\u9a8c\uff0c\u66fe\u8d1f\u8d23\u8fc7\u5b59\u5e03\u65af\u5927\u89c4\u6a21\u96c6\u7fa4\u67b6\u6784\u81ea\u52a8\u5316\u8fd0\u7ef4\u7ba1\u7406\u5de5\u4f5c\u3002\u64c5\u957fWeb\u96c6\u7fa4\u67b6\u6784\u4e0e\u81ea\u52a8\u5316\u8fd0\u7ef4\uff0c\u66fe\u8d1f\u8d23\u56fd\u5185\u67d0\u5927\u578b\u535a\u5ba2\u7f51\u7ad9\u8fd0\u7ef4\u5de5\u4f5c\u3002<\/p>\n\n\n\n

1.logstash\u4ecb\u7ecd<\/h2>\n\n\n\n

1.\u4e3a\u4ec0\u4e48\u9700\u8981logstash<\/em><\/strong><\/p>\n\n\n\n

\u5bf9\u4e8e\u90e8\u5206\u751f\u4ea7\u4e0a\u7684\u65e5\u5fd7\u65e0\u6cd5\u50cfNginx\u90a3\u6837\uff0c\u53ef\u4ee5\u76f4\u63a5\u5c06\u8f93\u51fa\u7684\u65e5\u5fd7\u8f6c\u4e3ajson\u683c\u5f0f\uff0c\u4f46\u662f\u53ef\u4ee5\u501f\u52a9logstash\u6765\u5c06\u6211\u4eec\u7684\u201c\u975e\u7ed3\u6784\u5316\u6570\u636e\u201d\uff0c\u8f6c\u4e3a\u201c\u7ed3\u6784\u5316\u6570\u636e\u201d\uff1b\r\n\u800c\u4e14logstash\u7684\u6570\u636e\u662f\u5747\u5300\u7684\u6253\u5230es\u6570\u636e\u5e93\u7684\uff0c\u53ef\u4ee5\u51cf\u8f7bes\u7684\u538b\u529b\u3002\r<\/code><\/pre>\n\n\n\n
2.\u4ec0\u4e48\u662flogstash<\/em><\/strong><\/p>\n\n\n\n
Logstash\u662f\u5f00\u6e90\u7684\u6570\u636e\u5904\u7406\u7ba1\u9053\uff0c\u80fd\u591f\u540c\u65f6\u4ece\u591a\u4e2a\u6e90\u91c7\u96c6\u6570\u636e\uff0c\u8f6c\u6362\u6570\u636e\uff0c\u7136\u540e\u8f93\u51fa\u6570\u636e\u3002<\/code><\/pre>\n\n\n\n
3.logstash\u67b6\u6784\u4ecb\u7ecd<\/em><\/strong><\/p>\n\n\n\n
Logstash\u7684\u57fa\u7840\u67b6\u6784\u7c7b\u4f3c\u4e8epipeline\u6d41\u6c34\u7ebf\r\n  Input\uff1a\u6570\u636e\u91c7\u96c6\uff08\u5e38\u7528\u63d2\u4ef6\uff1astdin\u3001file\u3001kafka\u3001beat\u3001http\uff09\r\n  Filter\uff1a\u6570\u636e\u89e3\u6790\u8f6c\u6362\uff08\u5e38\u7528\u63d2\u4ef6\uff1agrok\u3001date\u3001geoip\u3001mutate\u3001useragent\uff09\r\n  Output\uff1a\u6570\u636e\u8f93\u51fa\uff08\u5e38\u7528\u63d2\u4ef6\uff1aelasticsearch\uff09\r<\/code><\/pre>\n\n\n\n
2.logstash input\u63d2\u4ef6<\/h2>\n\n\n\n
1.input\u63d2\u4ef6\u4ecb\u7ecd<\/em><\/strong><\/p>\n\n\n\n
Input\u63d2\u4ef6\u7528\u4e8e\u6307\u5b9a\u8f93\u5165\u6e90\uff0c\u4e00\u4e2apipeline\u53ef\u4ee5\u6709\u591a\u4e2ainput\u63d2\u4ef6\uff0c\u6211\u4eec\u4e3b\u8981\u56f4\u7ed5\u4e0b\u9762\u4ecb\u4e2ainput\u63d2\u4ef6\u8fdb\u884c\u4ecb\u7ecd\r\n  Stdin\r\n  File\r\n  Beat\r\n  Kafka\r<\/code><\/pre>\n\n\n\n
2.stdin\u63d2\u4ef6<\/em><\/strong><\/p>\n\n\n\n
\u4ece\u6807\u51c6\u8f93\u5165\u8bfb\u53d6\u6570\u636e\uff0c\u4ece\u6807\u51c6\u8f93\u51fa\u4e2d\u8f93\u51fa\u5185\u5bb9\uff1b\r\n###\u5b89\u88c5java\r\n[root@es-node3 ~]# yum -y install java\r\n###\u5b89\u88c5logstash\r\n[root@es-node3 ~]# yum localinstall logstash-7.9.3.rpm -y\r\n###\u7f16\u8f91\u914d\u7f6e\u6587\u4ef6\r\n[root@es-node3 ~]# cat \/etc\/logstash\/conf.d\/stdin_Logstash.conf\r\ninput {\r\n\tstdin { ###\u63d2\u4ef6\u7c7b\u578b\u4e3astdin\r\n\t\ttype => \"stdin\" ###\u81ea\u5b9a\u4e49\u4e00\u4e2a\u7c7b\u578b\u7684\u540d\u5b57\r\n\t\ttags => \"stdin_type\" ###\u81ea\u5b9a\u4e49\u4e00\u4e2atags\r\n\t}\r\n}\r\noutput {\r\n\tstdout { ###\u8f93\u51fa\u7684\u63d2\u4ef6\u7c7b\u578b\r\n\t\tcodec => \"rubydebug\"\r\n\t}\r\n}\r\n###\u542f\u52a8logstash\r\n[root@es-node3 ~]# \/usr\/share\/logstash\/bin\/logstash -f \/etc\/logstash\/conf.d\/stdin_Logstash.conf\r\n\u7b49\u5f85\u7ea630\u79d2\u540e\u542f\u52a8\u6210\u529f\uff0c\u76f4\u63a5\u5728\u5f53\u524d\u7ec8\u7aef\u8f93\u5165sunfuyang\u53ef\u4ee5\u770b\u5230\u8f93\u51fa\u7ed3\u679c\uff0c\u6bd4filebeat\u7b80\u6d01\u7684\u591a\u3002\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
3.file\u63d2\u4ef6<\/em><\/strong><\/p>\n\n\n\n
\u4ecefile\u6587\u4ef6\u4e2d\u8bfb\u53d6\u6570\u636e\uff0c\u7136\u540e\u8f93\u5165\u81f3\u6807\u51c6\u8f93\u5165\uff1b\r\n###\u7f16\u8f91\u914d\u7f6e\u6587\u4ef6\r\n[root@es-node3 ~]# cat \/etc\/logstash\/conf.d\/file_Logstash.conf\r\ninput  {\r\n\tfile {\r\n\t\tpath => \"\/var\/log\/sunfuyang.log\"\r\n\t\ttype => \"syslog\"\r\n\t\texclude => \"*.gz\" ###\u6392\u9664\u7684\u6587\u4ef6\r\n\t\tstart_position => \"beginning\" ###\u7b2c\u4e00\u6b21\u4ece\u5934\u8bfb\u53d6\u6587\u4ef6 beginning or end\r\n\t\tstat_interval => \"3\" ###\u5b9a\u65f6\u68c0\u67e5\u6587\u4ef6\u662f\u5426\u66f4\u65b0\uff0c\u9ed8\u8ba41s\r\n\t}\r\n}\r\noutput {\r\n\tstdout {\r\n\t\tcodec => \"rubydebug\"\r\n\t}\r\n}\r\n###\u542f\u52a8logstash\r\n[root@es-node3 ~]# \/usr\/share\/logstash\/bin\/logstash -f \/etc\/logstash\/conf.d\/file_Logstash.conf\r\n\u53ef\u4ee5\u770b\u5230\u5f88\u591a\u4e0b\u56fe\u6240\u793a\u7684\u8f93\u51fa\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
4.beats\u63d2\u4ef6<\/em><\/strong><\/p>\n\n\n\n
\u4ecefilebeat\u4e2d\u8bfb\u53d6\u6570\u636e\uff0c\u7136\u540e\u8f93\u5165\u81f3\u6807\u51c6\u8f93\u5165\uff1b\r\n\u524d\u63d0\u662ffilebeat\u8f93\u51fa\u5230logstash\u3002\r\ninput  {\r\n\tbeats {\r\n\t\tport => 5044\r\n\t}\r\n}\r\noutput {\r\n\tstdout {\r\n\t\tcodec => \"rubydebug\"\r\n\t}\r\n}\r<\/code><\/pre>\n\n\n\n
5.kafka\u63d2\u4ef6<\/em><\/strong><\/p>\n\n\n\n
\u4ecekafka\u4e2d\u8bfb\u53d6\u6570\u636e\uff0c\u7136\u540e\u8f93\u5165\u81f3\u6807\u51c6\u8f93\u51fa\uff1b\r\n[root@es-node3 ~]# cat \/etc\/logstash\/conf.d\/kafka_Logstash.conf\r\ninput  {\r\n\tkafka {\r\n\t\tzk_connect => \"kafka1:2181,kafka2:2181,kafka3:2181\"\r\n\t\tgroup_id => \"logstash\"\r\n\t\ttopic_id => \"apache_logs\"\r\n\t\tconsumer_threads => 16\r\n\t}\r\n}\r\noutput {\r\n\tstdout {\r\n\t\tcodec => \"rubydebug\"\r\n\t}\r\n}\r<\/code><\/pre>\n\n\n\n
3.logstash filter\u63d2\u4ef6<\/h2>\n\n\n\n
1.filter\u63d2\u4ef6\u4ecb\u7ecd<\/em><\/strong><\/p>\n\n\n\n
    \u6570\u636e\u4ece\u6e90\u4f20\u8f93\u5230\u5b58\u50a8\u7684\u8fc7\u7a0b\u4e2d\uff0clogstash\u7684filter\u8fc7\u6ee4\u5668\u80fd\u591f\u89e3\u6790\u5404\u4e2a\u4e8b\u4ef6\uff0c\u8bc6\u522b\u5df2\u547d\u540d\u7684\u5b57\u6bb5\u7ed3\u6784\uff0c\u5e76\u5c06\u5b83\u4eec\u8f6c\u6362\u6210\u901a\u7528\u683c\u5f0f\uff0c\u4ee5\u4fbf\u66f4\u8f7b\u677e\u66f4\u5feb\u901f\u7684\u5206\u6790\u548c\u5b9e\u73b0\u5546\u4e1a\u4ef7\u503c\uff1b\r\n    \u5229\u7528grok\u4ece\u975e\u7ed3\u6784\u5316\u6570\u636e\u4e2d\u6d3e\u751f\u51fa\u7ed3\u6784\u5316\u6570\u636e\r\n    \u5229\u7528geoip\u4eceip\u5730\u5740\u5206\u6790\u51fa\u5730\u7406\u5750\u6807\r\n    \u5229\u7528useragent\u4ece\u8bf7\u6c42\u4e2d\u5206\u6790\u64cd\u4f5c\u7cfb\u7edf\u3001\u8bbe\u5907\u7c7b\u578b\r<\/code><\/pre>\n\n\n\n
2.Grok\u63d2\u4ef6<\/em><\/strong><\/p>\n\n\n\n
Grok\u5176\u5b9e\u662f\u5e26\u6709\u540d\u5b57\u7684\u6b63\u5219\u8868\u8fbe\u5f0f\u96c6\u5408\u3002Grok\u5185\u7f6e\u4e86\u5f88\u591apattern\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528\uff0c\u5982\u4e0b\u914d\u7f6e\u662f\u4e00\u4e2a\u5c06Nginx\u65e5\u5fd7\u683c\u5f0f\u5316\u4e3ajson\u683c\u5f0f\u7684\u914d\u7f6e\u793a\u4f8b\r\n[root@es-node3 ~]# cat \/etc\/logstash\/conf.d\/grok_filter.conf\r\ninput {\r\n\thttp {\r\n\t\tport => 7474\r\n\t}\r\n}\r\n\r\nfilter {\r\n\tgrok {\r\n\t\tmatch => {\r\n\t\t\t\"message\" => \"%{COMBINEDAPACHELOG}\"\r\n\t\t}\r\n\t}\r\n}\r\n\r\noutput {\r\n\tstdout {\r\n\t\tcodec => rubydebug\r\n\t}\r\n}\r<\/code><\/pre>\n\n\n\n
3.Geoip\u63d2\u4ef6<\/em><\/strong><\/p>\n\n\n\n
Geoip\u63d2\u4ef6\u53ef\u4ee5\u6839\u636eIP\u5730\u5740\u63d0\u4f9b\u7684\u5bf9\u5e94\u5730\u57df\u4fe1\u606f\uff0c\u6bd4\u5982\u7ecf\u7eac\u5ea6\u3001\u57ce\u5e02\u540d\u7b49\u3001\u65b9\u4fbf\u8fdb\u884c\u5730\u7406\u6570\u636e\u5206\u6790\uff1b\r\n\u5982\u4e0b\u662f\u4e00\u4e2a\u914d\u7f6e\u793a\u4f8b\r\n[root@es-node3 ~]# cat \/etc\/logstash\/conf.d\/grok_filter.conf\r\ninput {\r\n\thttp {\r\n\t\tport => 7474\r\n\t}\r\n}\r\n\r\nfilter {\r\n\tgrok {\r\n\t\tmatch => {\r\n\t\t\t\"message\" => \"%{COMBINEDAPACHELOG}\"\r\n\t\t}\r\n\t}\r\n\r\n\tgeoip {\r\n\t\tsource => \"clientip\" ###clientip\u9700\u8981\u5728grok\u63d2\u4ef6\u4e2d\u6709\u8fd9\u4e2a\u5b57\u6bb5\r\n\t}\r\n}\r\n\r\noutput {\r\n\tstdout {\r\n\t\tcodec => rubydebug\r\n\t}\r\n}\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u7531\u4e8e\u8f93\u51fa\u7684\u5185\u5bb9\u592a\u591a\uff0c\u53ef\u4ee5\u901a\u8fc7fileds\u9009\u9879\u9009\u62e9\u81ea\u5df1\u9700\u8981\u7684\u4fe1\u606f\uff1b\r\n\u5982\u4e0b\u662f\u4e00\u4e2a\u793a\u4f8b\u914d\u7f6e\r\n[root@es-node3 ~]# cat \/etc\/logstash\/conf.d\/grok_filter.conf\r\ninput {\r\n\thttp {\r\n\t\tport => 7474\r\n\t}\r\n}\r\n\r\nfilter {\r\n\tgrok {\r\n\t\tmatch => {\r\n\t\t\t\"message\" => \"%{COMBINEDAPACHELOG}\"\r\n\t\t}\r\n\t}\r\n\r\n\tgeoip {\r\n\t\tsource => \"clientip\"\r\n\t\tfields => [\"country_name\",\"country_code2\",\"timezone\",\"longitude\",\"latitude\",\"continent_code\"] #\u4ec5\u63d0\u53d6\u9700\u8981\u7684\u5b57\u6bb5\r\n\t}\r\n}\r\n\r\noutput {\r\n\tstdout {\r\n\t\tcodec => rubydebug\r\n\t}\r\n}\r\n\u5982\u4e0b\u56fe\u53ef\u4ee5\u770b\u5230\u5c11\u4e86\u5f88\u591a\u4fe1\u606f\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
4.date\u63d2\u4ef6<\/em><\/strong><\/p>\n\n\n\n
\u5efa\u8bae\u9605\u8bfb\uff1a\r\nhttps://www.elastic.co\/guide\/en\/logstash\/7.9\/plugins-filters-date.html\r\nDate\u63d2\u4ef6\u5c06\u65e5\u671f\u5b57\u7b26\u4e32\u89e3\u6790\u4e3a\u65e5\u5fd7\u7c7b\u578b\u3002\u7136\u540e\u66ff\u6362@timestamp\u5b57\u6bb5\u6216\u6307\u5b9a\u7684\u5176\u4ed6\u5b57\u6bb5\r\n  match\u7c7b\u578b\u4e3a\u6570\u7ec4\uff0c\u7528\u4e8e\u6307\u5b9a\u65e5\u671f\u7684\u5339\u914d\u683c\u5f0f\uff0c\u53ef\u4ee5\u4ee5\u6b64\u6307\u5b9a\u591a\u79cd\u65e5\u671f\u683c\u5f0f\r\n  target\u7c7b\u578b\u4e3a\u5b57\u7b26\u4e32\uff0c\u7528\u4e8e\u6307\u5b9a\u8d4b\u503c\u7684\u5b57\u6bb5\u540d\uff0c\u9ed8\u8ba4\u662f@timestamp\r\n  timezone\u7c7b\u578b\u4e3a\u5b57\u7b26\u4e32\uff0c\u7528\u4e8e\u6307\u5b9a\u65f6\u533a\u57df\r\n\u5982\u4e0b\u56fe\uff0c@timestamp\u662f\u65e5\u5fd7\u7684\u5199\u5165\u65f6\u95f4\uff0ctimestamp\u662f\u8bbf\u95ee\u65f6\u95f4\uff0c\u6211\u4eec\u5728kibina\u7b5b\u9009\u7684\u5b57\u6bb5\u662f@timestamp\uff0c\u53ef\u80fd\u8bbf\u95ee\u65e5\u5fd7\u5728\u540c\u4e00\u65f6\u95f4\u5199\u5165\u4e86\u5927\u91cf\u65e5\u5fd7\uff0c\u6ca1\u529e\u6cd5\u6309\u7167\u5408\u9002\u7684\u65f6\u95f4\u7b5b\u9009\u65e5\u5fd7\uff0c\u6240\u4ee5\u9700\u8981\u5c06@timestamp\u7528timestamp\u8986\u76d6\u6389\u3002\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u5982\u4e0b\u662f\u4e00\u4e2a\u914d\u7f6e\u6587\u4ef6\u793a\u4f8b\r\n[root@es-node3 ~]# cat \/etc\/logstash\/conf.d\/grok_filter.conf\r\ninput {\r\n\thttp {\r\n\t\tport => 7474 ###logstash\u76d1\u542c\u7684\u7aef\u53e3\r\n\t}\r\n}\r\n\r\nfilter {\r\n\tgrok {\r\n\t\tmatch => {\r\n\t\t\t\"message\" => \"%{COMBINEDAPACHELOG}\"\r\n\t\t}\r\n\t}\r\n\r\n\tgeoip {\r\n\t\tsource => \"clientip\"\r\n\t\tfields => [\"country_name\",\"country_code2\",\"timezone\",\"longitude\",\"latitude\",\"continent_code\"] #\u4ec5\u63d0\u53d6\u9700\u8981\u7684\u5b57\u6bb5\r\n\t}\r\n\tdate {\r\n\t\t# 09\/Nov\/2020:08:51:50 +0800\r\n\t\tmatch => [\"timestamp\", \"dd\/MMM\/yyyy:HH:mm:ss Z\" ]\r\n\t\ttarget => \"nginx_date\"\r\n\t\ttimezone => \"Asia\/Shanghai\"\r\n\t}\r\n}\r\n\r\noutput {\r\n\tstdout {\r\n\t\tcodec => rubydebug\r\n\t}\r\n}\r<\/code><\/pre>\n\n\n\n
5.useragent\u63d2\u4ef6<\/em><\/strong><\/p>\n\n\n\n
Useragent\u63d2\u4ef6\u6839\u636e\u8bf7\u6c42\u4e2d\u7684user-agent\u5b57\u6bb5\uff0c\u89e3\u6790\u51fa\u6d4f\u89c8\u5668\u8bbe\u5907\u3001\u64cd\u4f5c\u7cfb\u7edf\u7b49\u4fe1\u606f\uff1b\r\n\u4ee5\u4e0b\u662f\u4e00\u4e2a\u914d\u7f6e\u793a\u4f8b\r\n[root@es-node3 ~]# cat \/etc\/logstash\/conf.d\/grok_filter.conf\r\ninput {\r\n\thttp {\r\n\t\tport => 7474\r\n\t}\r\n}\r\n\r\nfilter {\r\n\tgrok {\r\n\t\tmatch => {\r\n\t\t\t\"message\" => \"%{COMBINEDAPACHELOG}\"\r\n\t\t}\r\n\t}\r\n\tgeoip {\r\n\t\tsource => \"clientip\" ###clientip\u9700\u8981\u5728grok\u63d2\u4ef6\u4e2d\u6709\u8fd9\u4e2a\u5b57\u6bb5\r\n\t\tfields => [\"country_name\",\"country_code2\",\"timezone\",\"longitude\",\"latitude\",\"continent_code\"] #\u4ec5\u63d0\u53d6\u9700\u8981\u7684\u5b57\u6bb5\r\n\t}\r\n\r\n\tdate {\r\n\t\t# 09\/Nov\/2020:08:51:50 +0800\r\n\t\tmatch => [\"timestamp\", \"dd\/MMM\/yyyy:HH:mm:ss Z\" ]\r\n\t\ttarget => \"nginx_date\"\r\n\t\ttimezone => \"Asia\/Shanghai\"\r\n\t}\r\n\r\n\tuseragent {\r\n\t\tsource => \"agent\" ###\u5b57\u6bb5\u6765\u6e90\r\n\t\ttarget => \"user_agent\" ###\u6307\u5b9a\u8986\u76d6\u7684\u5b57\u6bb5\uff0c\u5982\u679c\u6ca1\u6709\u4f1a\u65b0\u751f\u6210\u8fd9\u4e2a\u5b57\u6bb5\r\n\t}\r\n\r\n}\r\n\r\noutput {\r\n\tstdout {\r\n\t\tcodec => rubydebug\r\n\t}\r\n}\r\n\u6548\u679c\u5982\u4e0b\u56fe\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
4.logstash filter\u63d2\u4ef6\u4e4bmutate\u63d2\u4ef6<\/h2>\n\n\n\n
1.mutate\u63d2\u4ef6\u4ecb\u7ecd<\/em><\/strong><\/p>\n\n\n\n
mutate\u4e3b\u8981\u662f\u5bf9\u5b57\u6bb5\u8fdb\u884c\u7c7b\u578b\u8f6c\u6362\u3001\u5220\u9664\u3001\u66ff\u6362\u3001\u66f4\u65b0\u7b49\u64cd\u4f5c\uff1b\r\nremove_field \u5220\u9664\u5b57\u6bb5\r\nsplit \u5b57\u7b26\u4e32\u5207\u5272\r\nadd_field \u6dfb\u52a0\u5b57\u6bb5\r\nconvert \u7c7b\u578b\u8f6c\u6362\r\ngsub \u5b57\u7b26\u4e32\u66ff\u6362\r\nrename \u5b57\u6bb5\u91cd\u547d\u540d\r<\/code><\/pre>\n\n\n\n
2.remove_field\u793a\u4f8b<\/em><\/strong><\/p>\n\n\n\n
[root@es-node3 ~]# cat \/etc\/logstash\/conf.d\/grok_filter.conf\r\ninput {\r\n\thttp {\r\n\t\tport => 7474\r\n\t}\r\n}\r\n\r\nfilter {\r\n\tgrok {\r\n\t\tmatch => {\r\n\t\t\t\"message\" => \"%{COMBINEDAPACHELOG}\"\r\n\t\t}\r\n\t}\r\n\tgeoip {\r\n\t\tsource => \"clientip\" ###clientip\u9700\u8981\u5728grok\u63d2\u4ef6\u4e2d\u6709\u8fd9\u4e2a\u5b57\u6bb5\r\n\t\tfields => [\"country_name\",\"country_code2\",\"timezone\",\"longitude\",\"latitude\",\"continent_code\"] #\u4ec5\u63d0\u53d6\u9700\u8981\u7684\u5b57\u6bb5\r\n\t}\r\n\r\n\tdate {\r\n\t\t# 09\/Nov\/2020:08:51:50 +0800\r\n\t\tmatch => [\"timestamp\", \"dd\/MMM\/yyyy:HH:mm:ss Z\" ]\r\n\t\ttarget => \"nginx_date\"\r\n\t\ttimezone => \"Asia\/Shanghai\"\r\n\t}\r\n\r\n\tuseragent {\r\n\t\tsource => \"agent\"\r\n\t\ttarget => \"user_agent\"\r\n\t}\r\n\r\n\tmutate {\r\n\t\tremove_field => [\"headers\",\"message\"]\r\n\t}\r\n\r\n}\r\n\r\noutput {\r\n\tstdout {\r\n\t\tcodec => rubydebug\r\n\t}\r\n}\r\n\u53ef\u4ee5\u770b\u5230\u5c11\u4e86\u5f88\u591a\u5b57\u6bb5\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
3.split\u793a\u4f8b<\/em><\/strong><\/p>\n\n\n\n
mutate\u4e2d\u7684split\u5b57\u7b26\u5207\u5272\uff0c\u6307\u5b9a|\u4e3a\u5b57\u6bb5\u5206\u5272\u7b26\r\n\u6d4b\u8bd5\u6570\u636e\uff1a5607|\u63d0\u4ea4\u8ba2\u5355|2020-08031\r\n\u914d\u7f6e\u6587\u4ef6\u793a\u4f8b\r\n[root@es-node3 ~]# cat \/etc\/logstash\/conf.d\/app_filter.conf\r\ninput {\r\n\tstdin { ###\u63d2\u4ef6\u7c7b\u578b\u4e3astdin\r\n\t}\r\n\r\n}\r\n\r\nfilter {\r\n\tmutate {\r\n\t\tsplit => { \"message\" => \"|\" }\r\n\t}\r\n\r\n}\r\n\r\noutput {\r\n\tstdout {\r\n\t\tcodec => rubydebug\r\n\t}\r\n}\r\n\u53ef\u4ee5\u770b\u5230\u5982\u4e0b\u8f93\u51fa\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
4.add_field\u793a\u4f8b<\/em><\/strong><\/p>\n\n\n\n
mutate\u4e2dadd_field\u53ef\u4ee5\u5c06\u5206\u5272\u540e\u7684\u6570\u636e\u521b\u5efa\u51fa\u65b0\u7684\u5b57\u6bb5\u540d\u79f0\u3002\u4fbf\u4e8e\u4ee5\u540e\u7684\u7edf\u8ba1\u548c\u5206\u6790\uff1b\r\n\u4ee5\u4e0b\u662f\u4e00\u4e2a\u914d\u7f6e\u793a\u4f8b\r\n[root@es-node3 ~]# cat \/etc\/logstash\/conf.d\/app_filter.conf\r\ninput {\r\n\tstdin { ###\u63d2\u4ef6\u7c7b\u578b\u4e3astdin\r\n\t}\r\n\r\n}\r\n\r\nfilter {\r\n\tmutate {\r\n\t\tsplit => { \"message\" => \"|\" }\r\n\r\n\t\tadd_field => {\r\n\t\t\t\"UserID\" => \"%{[message][0]}\"\r\n\t\t\t\"Action\" => \"%{[message][1]}\"\r\n\t\t\t\"Date\" => \"%{[message][2]}\"\r\n\t\t}\r\n\t}\r\n\r\n}\r\n\r\noutput {\r\n\tstdout {\r\n\t\tcodec => rubydebug\r\n\t}\r\n}\r\n\u53ef\u4ee5\u770b\u5230\u591a\u4e86\u5982\u4e0b\u6dfb\u52a0\u7684\u5b57\u6bb5\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
5.convert\u793a\u4f8b<\/em><\/strong><\/p>\n\n\n\n
mutate\u4e2d\u7684convert\u7c7b\u578b\u8f6c\u6362\u3002\u652f\u6301integer\u3001float\u3001string\u7b49\u7c7b\u578b\uff1b\r\n\u5982\u4e0b\u662f\u4e00\u4e2a\u914d\u7f6e\u6587\u4ef6\u793a\u4f8b\r\n[root@es-node3 ~]# cat \/etc\/logstash\/conf.d\/app_filter.conf\r\ninput {\r\n\tstdin { ###\u63d2\u4ef6\u7c7b\u578b\u4e3astdin\r\n\t}\r\n\r\n}\r\n\r\nfilter {\r\n\tmutate {\r\n\t\tsplit => { \"message\" => \"|\" }\r\n\r\n\t\tadd_field => {\r\n\t\t\t\"UserID\" => \"%{[message][0]}\"\r\n\t\t\t\"Action\" => \"%{[message][1]}\"\r\n\t\t\t\"Date\" => \"%{[message][2]}\"\r\n\t\t}\r\n\r\n\t\tconvert => {\r\n\t\t\t\"UserID\" => \"integer\"\r\n\t\t\t\"Action\" => \"string\"\r\n\t\t\t\"Date\" => \"string\"\r\n\t\t}\r\n\t\tremove_field => [\"headers\",\"message\"]\r\n\t}\r\n\r\n}\r\n\r\noutput {\r\n\tstdout {\r\n\t\tcodec => rubydebug\r\n\t}\r\n}\r\n\u6548\u679c\u5982\u4e0b\u56fe\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
\u5b59\u5bcc\u9633\uff0c \u6c5f\u6e56\u4eba\u79f0\u6ca1\u4eba\u79f0\u3002\u591a\u5e74\u4e92\u8054\u7f51\u8fd0\u7ef4\u5de5\u4f5c\u7ecf\u9a8c\uff0c\u66fe\u8d1f\u8d23\u8fc7\u5b59\u5e03\u65af\u5927\u89c4\u6a21\u96c6\u7fa4\u67b6\u6784\u81ea\u52a8\u5316\u8fd0\u7ef4\u7ba1\u7406\u5de5\u4f5c\u3002\u64c5\u957fWeb\u96c6 […]<\/p>\n","protected":false},"author":1,"featured_media":246,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"_links":{"self":[{"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/posts\/1609"}],"collection":[{"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1609"}],"version-history":[{"count":6,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/posts\/1609\/revisions"}],"predecessor-version":[{"id":1629,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/posts\/1609\/revisions\/1629"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/media\/246"}],"wp:attachment":[{"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}