#输入 input { file { path => ["文件路径"] #自定义类型 type => "自定义" start_position => "beginning" } } #过滤器 filter{ #去除换行符 mutate{ gsub => [ "message", " ", "" ] } #逗号分割 mutate { split => ["message",","] } #分割后,字段命名与赋值 mutate{ add_field => { "id" => "%{[message][0]}" "cc" => "%{[message][5]}" "bcc" => "%{[message][6]}" "from_user" => "%{[message][7]}" "size" => "%{[message][8]}" "attachments" => "%{[message][9]}" "content" => "%{[message][10]}" } } #字段里的日期识别,以及时区转换,生成date date { match => [ "mydate", "MM/dd/yyyy HH:mm:ss" ] target => "date" locale => "en" timezone => "+00:00" input { file { path => ["文件路径"] #自定义类型 type => "自定义" start_position => "beginning" } #过滤器 filter{ #去除换行符 mutate{ gsub => [ "message", " ", "" ] #逗号分割 split => ["message",","] } #分割后,字段命名与赋值 mutate{ "id" => "%{[message][0]}" "user" => "%{[message][2]}" "pc" => "%{[message][3]}" "cc" => "%{[message][5]}" "bcc" => "%{[message][6]}" "from_user" => "%{[message][7]}" "attachments" => "%{[message][9]}" "content" => "%{[message][10]}" } } #字段里的日期识别,以及时区转换,生成date date { match => [ "mydate", "MM/dd/yyyy HH:mm:ss" ] target => "date" timezone => "+00:00" } #删除无用字段 mutate { remove_field => "message" remove_field => "mydate" remove_field => "@version" remove_field => "host" remove_field => "path" } #将两个字段转换为整型 mutate{ convert => { "size" => "integer" } convert => { "attachments" => "integer" } } } #输出,输出目标为es output { #stdout { codec => rubydebug } elasticsearch { #目标主机 host => ["目标主机1","目标主机2"] #协议类型 protocol => "http" #索引名 index =>"自定义" #type document_type=>"自定义" } }