ELK根据字段拆分合并

 

input {
beats {
port => 5044
}
}

filter {
multiline {
#pattern => "^\d{4}-\d{2}-\d{2}" # 正则表达式模式,匹配时间戳开头的行

pattern =>"^Application_Stdout" # 匹配以 "Application_Stdout" 开头的行

negate => true # 反转匹配结果,匹配非时间戳开头的行
what => "previous" # 将匹配的行与前一行合并
}

if "assistant" in [fields][project] {
mutate {
add_field => { "index_prefix" => "assistant" }
}
}
else if "qfzs-shop" in [fields][project] {
mutate {
add_field => { "index_prefix" => "qfzs-shop" }
}
}
else if "qfzs-table" in [fields][project] {
mutate {
add_field => { "index_prefix" => "qfzs-table" }
}
}
else if "qfzs-user" in [fields][project] {
mutate {
add_field => { "index_prefix" => "qfzs-user" }
}
}
else if "test-management" in [fields][project] {
mutate {
add_field => { "index_prefix" => "test-management" }
}
}
else if "test-server" in [fields][project] {
mutate {
add_field => { "index_prefix" => "test-server" }
}
}

grok {
match => { "message" => "Application_Stdout %{GREEDYDATA:application_stdout}" }
}
}

output {
# 配置输出到 Elasticsearch 或其他目标的部分
# ...
}

posted @ 2024-02-02 12:03  不会游泳的鱼丶  阅读(16)  评论(0编辑  收藏  举报