Logstash 不同的项目区分同的数据出口
Filebeat配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
#表示的是会把 service作为fields的二级字段filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/aa.log
fields:
service: aa
- type: log
enabled: true
paths:
- /var/log/messages*
fields:
service: message
|
**fields_under_root:**如果该选项设置为 true,则新增 **fields **成为顶级目录,而不是将其放在 **fields **目录下。自定义的 **field **会覆盖 **filebeat **默认的 field。例如添加如下配置:
1
2
3
4
|
#表示的是会把 service 作为 fields 顶级字段
fields:
service: message
fields_under_root: true
|
Logstash 配置
没有设置 fields_under_root 为 True 的情况下:
⭐️ 即没有吧Fields的内容提升到顶级选项
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
if [fields][service] == 'aa' {
elasticsearch {
hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"]
index => "logstash-aa-%{+YYYY.MM.dd}"
user => "logstash_writer"
password => "logstash"
}
}
if [fields][service] == "messages" {
elasticsearch {
hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"]
index => "logstash-messages-%{+YYYY.MM.dd}"
user => "logstash_writer"
password => "logstash"
}
}
|
