filebeat.inputs:
- type: log
enabled: true
paths:
- /data/logs/pb-dubbo-user/err_*.log
fields:
source: dubbo-user
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
- type: log
enabled: true
paths:
- /data/logs/pb-server-admin/err_*.log
fields:
source: server-admin
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
- type: log
enabled: true
paths:
- /data/logs/pb-dubbo-product/err_*.log
fields:
source: dubbo-product
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: false
multiline.match: after
- type: log
enabled: true
paths:
- /data/logs/pb-server-api/err_*.log
fields:
source: server-api
multiline.pattern: '^[[:space:]]+(at|\.{3})\b|^Caused by|^java\.net|^org\.spring|^org\.apache:'
multiline.negate: true
multiline.match: after
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
# 定义模板的相关信息
setup.template.name: "pb_log"
setup.template.pattern: "pb-*"
setup.template.overwrite: true
setup.template.enabled: true
#7版本自定义ES的索引需要把ilm设置为false
setup.ilm.enabled: false
setup.kibana:
hosts: "192.168.100.163:5601"
output.elasticsearch:
hosts: ["192.168.100.163:9200"]
index: "pb-%{[fields.source]}-*"
indices:
- index: "pb-dubbo-user-%{+yyyy.MM.dd}"
when.equals:
fields.source: "dubbo-user"
- index: "pb-server-admin-%{+yyyy.MM.dd}"
when.equals:
fields.source: "server-admin"
- index: "pb-server-api-%{+yyyy.MM.dd}"
when.equals:
fields.source: "server-api"
- index: "pb-dubbo-product-%{+yyyy.MM.dd}"
when.equals:
fields.source: "dubbo-product"
processors:
#- add_host_metadata: ~
#- add_cloud_metadata: ~
- drop_fields:
fields: ["input_type", "log.offset", "host.name", "input.type", "agent.hostname", "agent.type", "ecs.version", "agent.ephemeral_
id", "agent.id", "agent.version", "fields.ics", "log.file.path", "log.flags" ,"agent.ephemeral_id","agent.id","agent.type","agent.ve
rsion","agent.hostname","cloud.availability_zone","cloud.instance.id","cloud.provider","cloud.region","ecs.version","host.architectu
re","host.containerized","host.id","host.os.codename","host.os.family","host.os.kernel","host.os.name","host.os.platform","host.os.v
ersion","fields.source.keyword"]
==================================================================================================
C语言风格日志:
multiline.pattern: '\\$' multiline.negate: false multiline.match: before
将JAVA堆栈跟踪日志组合成一个message
multiline.pattern: '^[[:space:]]+(at|\.{3})\b|^Caused by:'
multiline.negate: false
multiline.match: after
时间戳类型:
multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
multiline:
-
multiline.pattern: 正则表达式,以空格开头,值为^[[:space:]]
-
multiline.negate: 是否匹配正则表达式内容,取值为 true|false
-
multiline.match: 取值为after|before
标签:Filebeat,log,source,fields,kibana,pb,索引,host,multiline From: https://www.cnblogs.com/walkersss/p/16919485.html