我的 Filebeat 配置非常简单 -
- input_type: log
paths:
- C:logFilebeatInputTest.txt
output.logstash:
hosts: ["http://X.X.X.X:XXXX"]
如果我用ilebeatInputTest.txt写东西,比如 - This is from Filebeat
我在弹性搜索中得到类似这样的输出 - .......
"index": "logstash-"
"source" : {
"@timestamp": "2017-05-19T06:41:02.663Z",
"beat": {
"hostname": "CHITTARS02",
"name": "CHITTARS02",
"version": "5.4.0"
},
"input_type": "log",
"message": "This is from Filebeat",
"offset": 23,
"source": "C:\log\FilebeatInputTest.txt",
"type": "log"
}
.....
我的管道Filebeat(monitoring FilebeatInputTest.txt) > Logstash > Elasticsearch
logstash.cnf如下 -
input {
beats {
port => 25000
}
}
output {
elasticsearch {
hosts => ["http://xx.xx.xx.xx:XX"]
user => "elastic"
password => "changeme"
}
}
问题:我可以从输出中删除所有不需要的键和值吗?也就是说,我希望我的输出应该是这样的 -
.......
"index": "logstash-"
"source" : {
"message": "This is from Filebeat",
}
......
我想删除"@timestamp", "beat","input_type""offset","source","type"
我尝试了以下 -
filter{
prune {
blacklist_names => ["@timestamp", "beat","input_type""offset","source","type"]
}
}
和
filter{
mutate {
remove_field => ["@timestamp", "beat","input_type""offset","source","type"]
}
}
但是没有帮助,结果是一样的
您使用的方法是正确的,但您的remove_field列表中有一个拼写错误。您错过了一个逗号。它应该是:
filter{
mutate {
remove_field => [ "@timestamp", "beat", "input_type", "offset", "source", "type" ]
}
}
另一种解决方案是使用 filebeat 删除这些字段。
processors:
- add_host_metadata: ~
- drop_fields:
fields: ["type", "@version", "offset", "tags"]
可能猜测是你忘记把端口放在引号里;而不是25000使用的"25000"。试试这个
input {
beats {
port => "25000"
}
}
filter{
mutate {
remove_field => ["@timestamp", "beat","input_type","offset","source","type","@version","host","tags"]
}
}
output {
elasticsearch {
hosts => ["http://xx.xx.xx.xx:XX"]
user => "elastic"
password => "changeme"
}
}
输入
This is from Filebeat
输出
{
"_index" : "logstash-",
"_type" : "logs",
"_id" : "AVwglLbLfqaeaIoZluvE",
"_score" : 1.0,
"_source" : {
"message" : "This is from Filebeat"
}
}
我还删除了字段"@version","host"和"tags".
希望这有帮助。