4、start_position 仅在该文件从未被监听过的时候起作用。如果 sincedb 文件中已经有这个文件的 inode 记录了,那么 logstash 依然会从记录过的 pos开始读取数据。所以重复测试的时候每回需要删除 sincedb 文件(官方博客上提供了另一个巧妙的思路:将 sincedb_path 定义为 /dev/null ,则每次重启自动从头开始读
---------------------
作者:衣舞晨风
来源:CSDN
原文:https://blog.csdn.net/jiankunking/article/details/67640915
版权声明:本文为博主原创文章,转载请附上博文链接!
input {
file {
path => ["/elk/kpi.txt"]
add_field => {"myid" => "kpi"}
start_position => "beginning"
sincedb_path => "/dev/null"
type => "kpi"
}
file {
path => ["/elk/mydata.txt"]
add_field => {"myid" => "mydata"}
start_position => "beginning"
sincedb_path => "/dev/null"
type => "kpi"
}
}
filter {
if [myid] == "kpi" {
grok {
match => { "message" => "(?<indexname>[^,]*),(?<uid>[^,]*),(?<netelementtype>[^,]*),(?<indexcoding>[^,]*),(?<indexlevel>[^,]*),(?<version>[^,]*)" }
}
} else if [myid] == "mydata" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:time},(?<vendorname>[^,]*),(?<elementtype>[^,]*),(?<rmuid>[^,]*),%{NUMBER:a:float},%{NUMBER:b:float},%{NUMBER:c:float},%{NUMBER:d:float}" }
}
date {
match => ["time", "yyyy-MM-dd HH:mm:ss"]
target => "time"
}
if [elementtype] == "CSCF" {
ruby {
code => "
event.set('CSCF0101', ((event.get('a') + event.get('b'))/(event.get('c')+event.get('d'))));
event.set('CSCF0102', ((event.get('a') + event.get('b'))/(event.get('c')+event.get('d'))) * 10 )
"
}
} else if [elementtype] == "PGW" {
ruby {
code => "
event.set('PGW0101', ((event.get('a') + event.get('b'))/(event.get('c')+event.get('d'))));
event.set('PGW0101', ((event.get('a') + event.get('b'))/(event.get('c')+event.get('d'))) * 10 )
"
}
}
}
}
output {
if "_grokparsefailure" not in [tags] {
if [myid] == "kpi" {
elasticsearch {
hosts => "10.12.25.68:9200"
index => "netelement"
document_id => "%{uid}"
}
} else if [myid] == "mydata" {
elasticsearch {
hosts => "10.12.25.68:9200"
index => "test2"
}
}
}
}
logstash5.5版本测试file input能重复读取一个文件
猜你喜欢
转载自blog.csdn.net/weixin_34061555/article/details/87176876
今日推荐
周排行