[log]logstash添加字段.geoip展示

原創

2020-02-23 09:43

add_field

配置文件

input{
    file{
        add_field => {"testfield"=>"testfield"}
        path => ["/tmp/a.txt"]
        type => "a-txt"
    }
}

output{
    if [type] == "a-txt"{
        elasticsearch{
            hosts => ["192.168.6.104:9200"]
            index => "a-txt-%{+YYYY-MM-dd}"
        }
        stdout { codec => rubydebug }
    }
}

測試:

echo 4 >> a.txt
echo 5 >> a.txt

輸出

{
          "path" => "/tmp/a.txt",
    "@timestamp" => 2017-09-17T02:40:20.327Z,
      "@version" => "1",
          "host" => "no104.p100.net",
       "message" => "4",
          "type" => "a-txt",
     "testfield" => "testfield"
}
{
          "path" => "/tmp/a.txt",
    "@timestamp" => 2017-09-17T02:40:23.336Z,
      "@version" => "1",
          "host" => "no104.p100.net",
       "message" => "5",
          "type" => "a-txt",
     "testfield" => "testfield"
}

多個tag

用於增加一些標籤，這個標籤可能在後續的處理中起到標誌的作用
來自 http://blog.csdn.net/wjacketcn/article/details/50960843

給日誌打tag

輸出

{
          "path" => "/tmp/a.txt",
    "@timestamp" => 2017-09-17T03:01:31.771Z,
      "@version" => "1",
          "host" => "no104.p100.net",
       "message" => "10",
          "type" => "a-txt",
     "testfield" => "testfield",
          "tags" => [
        [0] "mytag"
    ]
}

kibana展示

多個tag

輸出

{
          "path" => "/tmp/a.txt",
    "@timestamp" => 2017-09-17T03:11:18.462Z,
      "@version" => "1",
          "host" => "no104.p100.net",
       "message" => "11",
          "type" => "a-txt",
     "testfield" => "testfield",
          "tags" => [
        [0] "mytag",
        [1] "mytag2",
        [2] "mytag3"
    ]
}

kibana展示

配置:

[root@no104 logstash]# cat all.conf
input{
    file{
        add_field => {"testfield"=>"testfield"}
        path => ["/tmp/a.txt"]
        type => "a-txt"
        start_position => "beginning"
        tags => ["mytag","mytag2","mytag3"]
    }
}

output{
    if [type] == "a-txt"{
        elasticsearch{
            hosts => ["192.168.6.104:9200"]
            index => "a-txt-%{+YYYY-MM-dd}"
        }
        stdout { codec => rubydebug }
    }
}

geoip的配置

參考:
http://liubenlong.github.io/2016/11/29/ELK/ELK%20%E4%B9%8B%20nginx%E6%97%A5%E5%BF%97%E5%88%86%E6%9E%90/
http://xiaoluoge.blog.51cto.com/9141967/1891366

[root@no104 conf]# cat getip.conf
input{
    file{
        type => "tomcat-access"
        path => ["/data/tomcat/logs/tomcat_access_log.*.log"]
        start_position => "beginning"
        codec  => "json"
    }
}
filter{
    if[type] == "tomcat-access" {
        geoip {
            source => "clientip"      ##過濾內容來源
                target => "geoip"     ##屬性設定值
                database => "/data/es/conf/GeoLite2-City_20170905/GeoLite2-City.mmdb"  ##地圖加載路徑
                add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]   ##字段增加緯度
                add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]   ##字段增加經度
        }
        mutate {
            convert => [ "[geoip][coordinates]", "float"] ##將經度緯度信息轉變爲座標，類型爲float型
        }
    }
}

output{
    elasticsearch{
        hosts => ["192.168.6.104:9200"]
        index => "logstash-tomcat-access-%{+YYYY.MM.dd}"
    }
    stdout {
        codec => rubydebug
    }
}

發表評論

所有評論

還沒有人評論，想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.

[log]logstash添加字段.geoip展示

add_field

配置文件

測試:

輸出

多個tag

給日誌打tag

輸出

kibana展示

多個tag

輸出

kibana展示

geoip的配置

[py]python面向對象str一探究竟

[log]logstash重要參數

[k8s]docker entrypoint圖解

[py]使用flaskup結合nginx實現文件上傳

[py]登錄註冊邏輯設置

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結