grok 正则捕获:
grok 是Logstash 最重要的插件, 你可以在grok 里预定义好命名正则表达式,在稍后(grok 参数或者其他正则表达式里)引用它。
2.3.3 GeoIP 地址查询;
GeoIP 是最常见的免费IP地址归类查询库, 同时也有收费版可以采购。GeoIP库可以根据IP地址提供对应的地域信息,
input {stdin {} }
filter {
geoip {
source =>"message"
}
}
output {
stdout {
codec => rubydebug
}
}
183.60.92.253
{
"message" => "183.60.92.253",
"@version" => "1",
"@timestamp" => "2016-08-23T08:45:29.159Z",
"host" => "0.0.0.0",
"geoip" => {
"ip" => "183.60.92.253",
"country_code2" => "CN",
"country_code3" => "CHN",
"country_name" => "China",
"continent_code" => "AS",
"region_name" => "30",
"city_name" => "Guangzhou",
"latitude" => 23.11670000000001,
"longitude" => 113.25,
"timezone" => "Asia/Chongqing",
"real_region_name" => "Guangdong",
"location" => [
[0] 113.25,
[1] 23.11670000000001
]
}
}
2.3.4 JSON 边解码:
2.4 输出插件:
输出到Elasticsearch:
output {
if [type] == "zj_nginx_access"{
elasticsearch {
hosts => "192.168.32.80:9200"
index => "logstash-zjzc-nginx-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}
else if [type] == "uat_nginx_access"{
elasticsearch {
hosts => "192.168.32.81:9200"
index => "logstash-uat-nginx-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}
}
2.解释:
索引名:写入的Elasticsearch 索引的名称, 这里可以使用变量。为了更贴合日志场景,Logstash提供了%{+YYYY.MM.dd} 这种写法。在语法解析的时候,看到以+号开头的,就会自动认为后面是时间格式。
此外,注意索引名中不能有大写字母,否则Elasticsearch在日志中会报错
协议 现在,新插件支持三种协议,node,http和transport