1.首先多索引的filebeat.yml配置如下
並且採集的時候多行日誌處理成一行:
multiline.pattern: ^\[ 不以[開頭的都被合併到上一行
multiline.negate: true 不匹配pattern的都合併到上一行
multiline.match: after 合併到上一行的末尾
filebeat.inputs:
- type: log
paths:
- /admin/logs/deviceserver.js/biz*.log
fields:
index: 'biz'
multiline.pattern: ^\[
multiline.negate: true
multiline.match: after
- type: log
paths:
- /admin/logs/deviceserver.js/deviceserver*.log
fields:
index: 'device'
multiline.pattern: ^\[
multiline.negate: true
multiline.match: after
#============================= Filebeat modules ===============================
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 1
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch: