Filebeat 定义kibana 索引模式

filebeat.inputs:
- type: log
enabled: true
paths:
- /data/logs/pb-dubbo-user/err_*.log
fields:
source: dubbo-user
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
​
- type: log
enabled: true
paths:
- /data/logs/pb-server-admin/err_*.log
fields:
source: server-admin
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
​
- type: log
enabled: true
paths:
- /data/logs/pb-dubbo-product/err_*.log
fields:
source: dubbo-product
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: false
multiline.match: after
​
- type: log
enabled: true
paths:
- /data/logs/pb-server-api/err_*.log
fields:
source: server-api
multiline.pattern: '^[[:space:]]+(at|\.{3})\b|^Caused by|^java\.net|^org\.spring|^org\.apache:'
multiline.negate: true
multiline.match: after
​
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
​
​
setup.template.settings:
index.number_of_shards: 1
​
# 定义模板的相关信息
setup.template.name: "pb_log"
setup.template.pattern: "pb-*"
setup.template.overwrite: true
setup.template.enabled: true
​
#7版本自定义ES的索引需要把ilm设置为false
setup.ilm.enabled: false
​
​
setup.kibana:
hosts: "192.168.100.163:5601"
​
output.elasticsearch:
hosts: ["192.168.100.163:9200"]
index: "pb-%{[fields.source]}-*"
indices:
- index: "pb-dubbo-user-%{+yyyy.MM.dd}"
when.equals:
fields.source: "dubbo-user"
- index: "pb-server-admin-%{+yyyy.MM.dd}"
when.equals:
fields.source: "server-admin"
- index: "pb-server-api-%{+yyyy.MM.dd}"
when.equals:
fields.source: "server-api"
- index: "pb-dubbo-product-%{+yyyy.MM.dd}"
when.equals:
fields.source: "dubbo-product"
​
processors:
    #- add_host_metadata: ~
    #- add_cloud_metadata: ~

    

    - drop_fields:
      fields: ["input_type", "log.offset", "host.name", "input.type", "agent.hostname", "agent.type", "ecs.version", "agent.ephemeral_
id", "agent.id", "agent.version", "fields.ics", "log.file.path", "log.flags" ,"agent.ephemeral_id","agent.id","agent.type","agent.ve
rsion","agent.hostname","cloud.availability_zone","cloud.instance.id","cloud.provider","cloud.region","ecs.version","host.architectu
re","host.containerized","host.id","host.os.codename","host.os.family","host.os.kernel","host.os.name","host.os.platform","host.os.v
ersion","fields.source.keyword"]

 

==================================================================================================

C语言风格日志：

multiline.pattern: '\\$'
multiline.negate: false
multiline.match: before

将JAVA堆栈跟踪日志组合成一个message

multiline.pattern: '^[[:space:]]+(at|\.{3})\b|^Caused by:'
multiline.negate: false
multiline.match: after

时间戳类型：

multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after


multiline:

• multiline.pattern: 正则表达式，以空格开头，值为^[[:space:]]

• multiline.negate: 是否匹配正则表达式内容，取值为 true|false

• multiline.match: 取值为after|before