input {
beats {
port => 5044
}
}
filter {
if "access_logs" in [tags]
{
grok {
match => {
> Getting error in thess lines "message" => "%{IPORHOST:x_forwarded_for} - - \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion})" %{NUMBER:response}"
}
}
}
if "BPM" in [tags]
{
grok {
match => {
"message" => "%{SYSLOG5424SD:BPM_timestamp} %{BASE16NUM:ThreadID} %{WORD:EventType} %{WORD:ShortName} %{WORD:MessageIdentifier}:%{SPACE}%{GREEDYDATA:event}"
}
}
}
if "syslog" in [tags]
{
grok {
match => {
"message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program} (?:\[%{POSINT:syslog_pid}\])?%{GREEDYDATA:syslog_message}"
}
}
}
}
if [tags] == "access_log"
{
output {
elasticsearch {
hosts => ["10.190.188.174:9200"]
index => "access-%{+YYYY.MM.dd}" #indices to the output
}
}
}
else if [tags] == "BPM"
{
output {
elasticsearch {
hosts => ["10.190.188.174:9200"]
index => "bpm-%{+YYYY.MM.dd}"
}
}
}
当我尝试使用服务logstash重新调试时,重启服务不会启动
答案 0 :(得分:0)
你忘了逃脱你的格言串中的"。
它应该是这样的:
"message" => "%{IPORHOST:x_forwarded_for} - - \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion})\\" %{NUMBER:response}"
您的输出也是错误的。您不能有多个输出块。相反,你有一个输出块,并将你的if放在那里:
output {
if[tags] == "access_log" {
elasticsearch {
hosts => ["10.190.188.174:9200"]
index => "access-%{+YYYY.MM.dd}" #indices to the output
}
} else if [tags] == "BPM" {
elasticsearch {
hosts => ["10.190.188.174:9200"]
index => "bpm-%{+YYYY.MM.dd}"
}
}
}