主要描述filebeat和logstash的过滤器使用。
参考:
filebeat: https://www.elastic.co/guide/en/beats/filebeat/6.8/defining-processors.html
logstash: https://www.elastic.co/guide/en/logstash/6.8/filter-plugins.html
版本:elasticsearch-6.8.1、filebeat-6.8.0、logstash-6.8.0
一、需求:
将如下日志数据,通过filebeat或者filebeat+logstash存入elasticsearch。
2019-08-23 09:35:45.877 [reactor-http-epoll-4] INFO aa- test:{"auth":true,"deduct":true,"envType":1,"executeTime":22,"id":"a4fff9ab3b194803a33f7b22cb64972a","reqRealHeader":{"Connection":"keep-alive","User-Agent":"Apache-HttpClient/4.5.6 (Java/1.8.0_191)"},"reqRealParam":{}}
二、实现:
1.通过filebeat实现过滤,在filebeat.yml中添加如下信息:
processors:
- dissect:
tokenizer: "%{} [%{}] %{} aa- test:%{msg1}"
field: "message"
target_prefix: "dissect"
- decode_json_fields:
fields: ["dissect.msg1"]
max_depth: 1
target: ""
overwrite_keys: true
- drop_fields:
fields: ["message", "dissect"]
说明:filebeat默认将每行日志信息读取到message字段中。
1.将message字符串通过dissect处理,获取json字符串信息到msg1中,此时msg1中为:
{"auth":true,"deduct":true,"envType":1,"executeTime":22,"id":"a4fff9ab3b194803a33f7b22cb64972a","reqRealHeader":{"Connection":"keep-alive","User-Agent":"Apache-HttpClient/4.5.6 (Java/1.8.0_191)"},"reqRealParam":{}}
2.通过decode_json_fields处理,将json字符串转化为json对象。此处根据业务需求需要将json解析出的属性值全部放到顶级字段,需要将target设置为空。此处可以通过target自行设置存放目标字段位置;
3.通过drop_fields将过程数据删除。如果不删除,每条数据将是原来数据的三倍大小。
2.通过logstash实现过滤,在logstash-sample.conf中添加如下信息:
filter {
grok {
match => { "message" => "(?<temMsg>(?<=gateway_stat_info:).*)" }
remove_field => ["message"]
}
json {
source => "temMsg"
remove_field => ["temMsg"]
}
}
说明:logstash接收到filebeat传来的数据,默认日志信息放在message字段中。
1.通过grok过滤器去掉json字符串以外的信息,过滤完成后信息放到了temMsg中,内容如下:
{"auth":true,"deduct":true,"envType":1,"executeTime":22,"id":"a4fff9ab3b194803a33f7b22cb64972a","reqRealHeader":{"Connection":"keep-alive","User-Agent":"Apache-HttpClient/4.5.6 (Java/1.8.0_191)"},"reqRealParam":{}}
2.通过json过滤器将temMsg中的json字符串解析为json对象,并将解析得到的字段放到顶级字段中。
网友评论