本文共 1505 字，大约阅读时间需要 5 分钟。

#输入input { file {        path => ["文件路径"]#自定义类型        type => "自定义"       start_position => "beginning"    }} #过滤器filter{#去除换行符mutate{gsub => [ "message", "\r", "" ]   } #逗号分割mutate {    split => ["message",","]     } #分割后，字段命名与赋值mutate{                add_field =>   {                                        "id" => "%{[message][0]}"                                        "mydate" => "%{[message][1]}"                                        "user" => "%{[message][2]}"                                        "pc" => "%{[message][3]}"                                        "to_user" => "%{[message][4]}""cc" => "%{[message][5]}""bcc" => "%{[message][6]}""from_user" => "%{[message][7]}"                                        "size" => "%{[message][8]}""attachments" => "%{[message][9]}""content" => "%{[message][10]}"                     }                } #字段里的日期识别，以及时区转换，生成date      date {            match => [ "mydate", "MM/dd/yyyy HH:mm:ss" ]                       target => "date"  locale => "en"  timezone => "+00:00"        } #删除无用字段mutate {    remove_field => "message"      remove_field => "mydate"      remove_field => "@version"      remove_field => "host"      remove_field => "path"    }#将两个字段转换为整型mutate{convert => { "size" => "integer" }convert => { "attachments" => "integer" }}} #输出，输出目标为esoutput {    #stdout { codec => rubydebug }elasticsearch {    #目标主机            host => ["目标主机1","目标主机2"]    #协议类型            protocol => "http"    #索引名            index =>"自定义"        }  }

参考文章

转载地址：http://pbyzk.baihongyu.com/