filebeat收集日志时多条件创建索引

Beats | 作者 xuebin | 发布于2018年12月13日 | 阅读数:850

filebeat 收集日志并过滤后发送给es,  发现error日志数据只有一部分,  后来发现错误日志级别变了,  所以进行更改并用错误日志级别当索引创建的条件,  但是按官方文档的写法不行啊, 数据都推送到了默认索引中, 求大家看看我哪里写错了, 在此先谢过了,. 
是不是我没指定处理器名字, 这里要用什么处理器做处理呢

1544697912(1).jpg
  index: "filebeat-%{+yyyy.MM.dd}"
indices:
- index: "sql-%{+yyyy.MM.dd}"
when.contains:
message: "_sql"
- index: "speed-%{+yyyy.MM.dd}"
when.contains:
message: "_speed"
- index: "rest-%{+yyyy.MM.dd}"
when.contains:
message: "_rest"
- index: "user-gw_error-%{+yyyy.MM.dd}"
when:
or:
- contains:
nginx.error.level: "crit"
- contains:
nginx.error.level: "error"
- index: "nginx-user-gw_access-%{+yyyy.MM.dd}"
when:
or:
- contains:
nginx.access.http_version: "1.1"
- contains:
nginx.access.http_version: "1.0"



已邀请:

rochy - rochy_he@tw

赞同来自:

 index: "filebeat-%{+yyyy.MM.dd}"
indices:
- index: "sql-%{+yyyy.MM.dd}"
when.contains:
message: "_sql"
- index: "speed-%{+yyyy.MM.dd}"
when.contains:
message: "_speed"
- index: "rest-%{+yyyy.MM.dd}"
when.contains:
message: "_rest"
- index: "user-gw_error-%{+yyyy.MM.dd}"
when.or:
- contains:
nginx.error.level: "crit"
- contains:
nginx.error.level: "error"
- index: "nginx-user-gw_access-%{+yyyy.MM.dd}"
when.or:
- contains:
nginx.access.http_version: "1.1"
- contains:
nginx.access.http_version: "1.0"
 
可以试试上面的

xuebin

赞同来自:

@rochy 
  index: "filebeat-%{+yyyy.MM.dd}"
indices:
- index: "sql-%{+yyyy.MM.dd}"
when.contains:
message: "_sql"
- index: "speed-%{+yyyy.MM.dd}"
when.contains:
message: "_speed"
- index: "rest-%{+yyyy.MM.dd}"
when.contains:
message: "_rest"
- index: "user-gw_error-%{+yyyy.MM.dd}"
when.or:
- contains:
message: "crit"
- contains:
message: "error"
- index: "nginx-user-gw_access-%{+yyyy.MM.dd}"
when.or:
- contains:
message: "HTTP/1.1"
- contains:
message: "HTTP/1.0"
只能这么写,能不能吧message替换成日志私有的字段,比如"nginx.access.http_version"这样的字段其他日志没有的, 用什么办法能实现

要回复问题请先登录注册