Demo entry 6630660

logstash_filter_beats.conf

   

Submitted by lu on Jul 10, 2017 at 11:27
Language: Bash. Code size: 803 Bytes.

input {
  beats {
    port => 5044
  }
}

filter {  
	grok {
		match => {
			"message" => "(?<date>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\.\d\d\d) \[(?<title>\S+)\] (?<method>\S+) (?<info>\S+) - Request path is: \D+(?<comment>\d+)\D+"
		} 
		add_tag => ["tag_login"]
	}
	grok {
		match => {
			"message" => "(?<comm>[\s\S]+)"
		} 
		add_tag => ["tag_all"]
	}
	ruby {
		code => "event.set('index_day', event.get('[@timestamp]').time.localtime.strftime('%Y%m%d'))"
	}
}

output {
    if "tag_login" in [tags] {
		csv {
		  fields => ["date","title","method","info","comment"]
		  path => "E:/logstash-5.4.2/data/login_%{index_day}.csv"
		}
    } else if "tag_all_" in [tags]{
		csv {
		  fields => ["comm"]
		  path => "E:/logstash-5.4.2/data/comm_%{index_day}.csv"
		}
	}
}

This snippet took 0.01 seconds to highlight.

Back to the Entry List or Home.

Delete this entry (admin only).