Question

我的Filebeat配置非常简单 -

- input_type: log
  paths:
    - C:\log\FilebeatInputTest.txt

output.logstash:
  hosts: ["http://X.X.X.X:XXXX"]

如果我在ilebeatInputTest.txt中写一些内容 - This is from Filebeat

我在弹性搜索中输出类似于 - ....... "index": "logstash-" "source" : { "@timestamp": "2017-05-19T06:41:02.663Z", "beat": { "hostname": "CHITTARS02", "name": "CHITTARS02", "version": "5.4.0" }, "input_type": "log", "message": "This is from Filebeat", "offset": 23, "source": "C:\\log\\FilebeatInputTest.txt", "type": "log" } .....

我的管道是Filebeat(monitoring FilebeatInputTest.txt) > Logstash > Elasticsearch

logstash.cnf如下 -

input {

    beats {
        port => 25000
    }
}
output {

    elasticsearch {
        hosts => ["http://xx.xx.xx.xx:XX"]
        user => "elastic"
        password => "changeme"
    }
}

问题：我可以删除所有不需要的密钥吗？输出值？也就是说，我希望我的输出应该是 -

....... "index": "logstash-" "source" : { "message": "This is from Filebeat", } ......

我想删除"@timestamp", "beat","input_type""offset","source","type"

我尝试了以下 -

filter{
    prune {
        blacklist_names => ["@timestamp", "beat","input_type""offset","source","type"]
    }

}

和

filter{
    mutate {
        remove_field => ["@timestamp", "beat","input_type""offset","source","type"]
    }
}

但没有帮助，结果相同

Answer 1

另一种解决方案是使用 filebeat 删除这些字段。

processors:
  - add_host_metadata: ~
  - drop_fields:
    fields: ["type", "@version", "offset", "tags"]

Answer 2

您使用了正确的方法，但您的remove_field列表中存在拼写错误。你错过了一个逗号。它应该是：

filter{
    mutate {
        remove_field => [ "@timestamp", "beat", "input_type", "offset", "source", "type" ]
    }
}

Answer 3

可能猜测是你忘了把端口放在引号中;而不是25000使用"25000"。试试这个

input {

    beats {
        port => "25000"
    }
}

filter{
    mutate {
        remove_field => ["@timestamp", "beat","input_type","offset","source","type","@version","host","tags"]
    }
}

output {

    elasticsearch {
        hosts => ["http://xx.xx.xx.xx:XX"]
        user => "elastic"
        password => "changeme"
    }
}

输入

This is from Filebeat

输出

{
    "_index" : "logstash-",
    "_type" : "logs",
    "_id" : "AVwglLbLfqaeaIoZluvE",
    "_score" : 1.0,
    "_source" : {
      "message" : "This is from Filebeat"
    }
}

我还删除了字段"@version","host"和"tags"。

希望这有帮助。

Filebat / Logstash删除不需要的字段＆amp;输出值

3 个答案: