我使用此logstash配置来过滤我的日志:
input {
udp {
port => 9600
codec => json
}
tcp {
port => 9600
codec => json
}
}
filter {
mutate { add_field => [ "pod_id", "${POD_ID}" ] }
if [docker.image] =~ /consul/ {
mutate { add_field => [ "image_type", "consul" ] }
}
else if [docker.image] =~ /image86/ {
mutate { add_field => [ "image_type", "image86" ] }
}
else if [docker.image] =~ /traefik/ {
mutate { add_field => [ "image_type", "traefik" ] }
} else {
drop {}
}
}
output {
file {
path => [ "${LOGSTASH_OUTPUT_PATH}/${NODE_ID}/%{image_type}-%{+YYYY-MM-dd}.log" ]
}
}
日志的示例行:
{
"@timestamp": "2017-08-16T10:31:24.912Z",
"stream": "stderr",
"port": 58768,
"@version": "1",
"host": "127.0.0.1",
"message": "\"Update /api/v1/namespaces/default/pods/logstash-l0t1l/status\" [638.662326ms] [107.202µs] END",
"pod_id": "logstash-h04h7",
"docker": {
"image": "gcrio.azureedge.net/google_containers/traefik@sha256:97a2133434e2d3b12afcc19d47c53bf4c3539eb8dab1ece0bc58cc9509",
"hostname": "k8s-master-sdfsd1DC9D-1",
"name": "/traefik_kube-system_0b2942b3e833432463ca0b767977a99e_0",
"id": "fbc8bbbdaf2c3845008fc800a6134e2740eb72f9f705b0720a450a9c2d435c76",
"labels": null
},
"tags": []
}
这个问题是每条消息都会被删除而且没有任何内容会转到endfile。我在logstash中非常初学,所以你可以帮助我。
答案 0 :(得分:1)
要访问logstash过滤器中的docker.image值,您必须使用[docker][image]
修改:logstash documentation中的引用:
访问字段的语法是
[fieldname]。如果您指的是顶级字段,则可以省略[]并简单地使用fieldname。要引用嵌套字段,请指定该字段的完整路径:[top-level field][nested field]。