logstash7.7.1安装及基础配置见
https://blog.csdn.net/qq_29384639/article/details/107083915
1、修改logstash配置文件,修改为控制台输入控制台输入
cd /etc/logstash/conf.d
新建测试配置文件
vim test.conf
input {
stdin {}
}
filter{
grok{
match => {"message" => "%{IP:ip_address}\ -\ -\ \[%{HTTPDATE:timestamp}\]\ %{QS:referrer}\ %{NUMBER:status}\ %{NUMBER:bytes}"}
}
date{
match => ["timestamp","dd/MMM/yyyy:HH:mm:ss Z"]
}
mutate{
remove_field => ["message","@timestamp"]
}
}
output {
stdout {}
}
2、启动logstash指定该配置文件
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
3、启动完成后,控制台输入
192.168.81.1 - - [22/Jun/2020:00:12:33 -0700] "GET /favicon.ico HTTP/1.1" 200 21630
filter中grok详细写法教程参阅 https://www.elastic.co/guide/en/logstash/7.7/plugins-filters-grok.html