elk7.7.1【系列七】logstashfilter 快捷测试

logstash7.7.1安装及基础配置见

https://blog.csdn.net/qq_29384639/article/details/107083915

1、修改logstash配置文件，修改为控制台输入控制台输入

cd /etc/logstash/conf.d

 新建测试配置文件

vim test.conf input { stdin {} } filter{ grok{ match => {"message" => "%{IP:ip_address}\ -\ -\ \[%{HTTPDATE:timestamp}\]\ %{QS:referrer}\ %{NUMBER:status}\ %{NUMBER:bytes}"} } date{ match => ["timestamp","dd/MMM/yyyy:HH:mm:ss Z"] } mutate{ remove_field => ["message","@timestamp"] } } output { stdout {} }

 

2、启动logstash指定该配置文件

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf

3、启动完成后，控制台输入

192.168.81.1 - - [22/Jun/2020:00:12:33 -0700] "GET /favicon.ico HTTP/1.1" 200 21630

filter中grok详细写法教程参阅  https://www.elastic.co/guide/en/logstash/7.7/plugins-filters-grok.html