分析的文件
2021-03-19 16:40:48 ################### --CPU-- cpu cores : 1 us=2 sy=0 id=97 wa=0 st=0 CPU_RATE:0.83% 2021-03-19 16:41:53 ################### --CPU-- cpu cores : 1 us=2 sy=0 id=97 wa=0 st=0 CPU_RATE:0.73%
logstash.conf文件
input {
file {
type => "system"
path => "/home/system/*.log"
start_position => "beginning"
sincedb_path => "/dev/null"
mode => read
file_completed_action => delete
codec => multiline {
pattern => "^d*[./-]d*[./-]d* d*:d*:d* ###################"
negate => true
what => "previous"
}
}
}
filter {
if [type] == "system"{
grok {
match => {
"message" => '(?(d*[./-]d*[./-]d* d*:d*:d*)) %{NOTSPACE}%{SPACE}--%{WORD:name}--%{SPACE}%{WORD} %{WORD}%{SPACE}%{NOTSPACE} %{INT:cpuCores}%{SPACE}%{WORD}=%{WORD:us}%{SPACE}%{WORD}=%{WORD:sy}%{SPACE}%{WORD}=%{WORD:id}%{SPACE}%{WORD}=%{WORD:wa}%{SPACE}%{WORD}=%{WORD:st}%{SPACE}%{WORD}:%{NOTSPACE:CPU_RATE}'
}
}
date {
match => ["timestamp", "yyyy-MM-dd HH:mm:ss"]
}
}
}
output {
if [type] == "system"{
elasticsearch {
hosts => ["http://*.*.*.*:9200"]
index => "system"
}
}
}
推荐阅读
logstash设置从文件读取的重要参数说明及如何强置重新读取
