input { #日誌數據輸入來源log4j
log4j {
host => "10.104.112.175"
port => 4561
type => "simple"
}
log4j {
host => "10.104.112.175"
port => 4560
type => "detail"
}
}
filter { #logstash過濾器
if [type] == "simple" {
mutate{
split => ["message","|"] #按 | 進行split切割message
add_field => {
"requestId" => "%{[message][0]}"
}
add_field => {
"timeCost" => "%{[message][1]}"
}
add_field => {
"responseStatus" => "%{[message][2]}"
}
add_field => {
"channelCode" => "%{[message][3]}"
}
add_field => {
"transCode" => "%{[message][4]}"
}
}
mutate {
convert => ["timeCost", "integer"] #修改timeCost字段類型爲整型
}
} else if [type] == "detail" {
grok{
match => { #將message裏面 TJParam後面的內容,分隔並新增爲ES字段和值
"message" => ".*TJParam %{PROG:requestId} %{PROG:channelCode} %{PROG:transCode}"
}
}
grok{
match => {
"message" => "(?<temMsg>(.*)(?=TJParam)/?)" #截取TJParam之前的字符作爲temMsg字段的值
remove_field => ["message"] #刪除字段message
}
}
mutate {
rename => {"temMsg" => "message"} #重命名字段temMsg爲message
}
}
}
output {#日誌輸出目的地ES庫
elasticsearch {
action => "index"
hosts => "10.104.112.175:9200"
index => "supergwlog--%{+YYYY-MM}"
}
}
