我正在构建ELK安装程序,并且可以正常工作,但是我遇到了一种情况,我想在像logstash这样通过remove_field处理时从系统日志数据中删除某些字段&remove_tag,我已经在自己的logstash配置文件中定义了,但是它不起作用。
寻找任何尊敬和专家意见来纠正配置以使其运行,非常感谢高级。
[root@sandbox-prd~]# cat /etc/logstash/conf.d/syslog.conf
input {
file {
path => [ "/data/SYSTEMS/*/messages.log" ]
start_position => beginning
sincedb_path => "/dev/null"
max_open_files => 64000
type => "sj-syslog"
}
}
filter {
if [type] == "sj-syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp } %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
remove_field => ["@version", "host", "_type", "_index", "_score", "path"]
remove_tag => ["_grokparsefailure"]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
if [type] == "sj-syslog" {
elasticsearch {
hosts => "sandbox-prd02:9200"
manage_template => false
index => "sj-syslog-%{+YYYY.MM.dd}"
document_type => "messages"
}
}
}
syslog_pid:6662 type:sj-syslog syslog_message:(root) CMD (LANG=C LC_ALL=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /var/lib/mrtg/mrtg.ok) syslog_severity:notice syslog_hostname:dbaprod01 syslog_severity_code:5 syslog_timestamp:Feb 11 10:25:02 @timestamp:February 11th 2019, 23:55:02.000 message:Feb 11 10:25:02 dbaprod01 CROND[6662]: (root) CMD (LANG=C LC_ALL=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /var/lib/mrtg/mrtg.ok) syslog_facility:user-level syslog_facility_code:1 syslog_program:CROND received_at:February 11th 2019, 10:25:03.353 _id:KpHo2mgBybCgY5IwmRPn _type:messages
_index:sj-syslog-2019.02.11 _score: -
操作系统版本:Linux 7
Logstash版本:6.5.4
答案 0 :(得分:2)
您无法删除_type和_index,它们是Elasticsearch工作所需的元数据字段,它们具有有关您的索引名和数据映射的信息,_score字段也是在搜索时生成的元数据字段,不在您的文档上。