使用一条记录创建一个日志文件。
test test 07-05-2018 04:35:434 2018-05-07 06:41:04.844 941
Logstash配置文件。
input {
file {
path => "/path/*.log"
type => "test"
start_position => beginning
sincedb_path => "/path/file"
}
}
filter {
if [type] == "test" {
grok {
match => {
"message" => "%{EMAILLOCALPART:source} %{EMAILLOCALPART:job} %{DATE:start_date} %{GREEDYDATA:start_time} %{GREEDYDATA:end_date} %{GREEDYDATA:end_time} %{BASE10NUM:rows}"
}
}
}
}
output {
if [type] == "test" {
elasticsearch {
hosts => "ip:9200"
index => "test"
}
}
else {
stdout {
codec => rubydebug
}
}
}
sincedb文件。
262220 0 2065 79
curl -XGET 'ip:9200/_cat/indices?v&pretty'
index = test, docs.count = 1
curl -XGET 'ip:9200/test/_search?q=*&pretty&pretty'
"message" : "test test 07-05-2018 04:35:434 2018-05-07 06:41:04.844 941",
"@timestamp" : "2018-06-20T16:22:46.990Z",
在日志文件中再添加一行。
test test 07-06-2018 05:35:434 2018-06-07 07:41:04.844 941
sincedb文件。
262220 0 2065 79 262308 0 2065 158
curl -XGET 'ip:9200/_cat/indices?v&pretty'
index = test, docs.count = 3
docs.count应该为2。
curl -XGET 'ip:9200/test/_search?q=*&pretty&pretty'
"message" : "test test 07-05-2018 04:35:434 2018-05-07 06:41:04.844 941",
"@timestamp" : "2018-06-20T16:22:46.990Z",
"message" : "test test 07-05-2018 04:35:434 2018-05-07 06:41:04.844 941",
"@timestamp" : "2018-06-20T16:37:36.525Z",
"message" : "test test 07-06-2018 05:35:434 2018-06-07 07:41:04.844 941",
"@timestamp" : "2018-06-20T16:37:36.527Z",
第一和第二重复。