-
Notifications
You must be signed in to change notification settings - Fork 1
/
logstash-simple.conf
30 lines (28 loc) · 1.07 KB
/
logstash-simple.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
input { stdin { } }
filter {
grok {
match => {
"message" => [
"%{TIMESTAMP_ISO8601:timestamp}\s+%{LOGLEVEL:level}\s+\[%{DATA:service},%{DATA:traceId},%{DATA:spanId},%{DATA:spanExportable}\]\s+%{DATA:pid}\s+---\s+\[%{DATA:thread_name}\]\s+%{DATA:logger_name}\s+:\s+(?<keyValuePairs>(?:\[[^\[\]\:]+\:(?:[^\[\]\:]*)\])?(?: \[[^\[\]\:]+\:(?:[^\[\]\:]*)\])*)\s*%{GREEDYDATA:text}",
"\[%{TIMESTAMP_ISO8601:logdate}\]\s+\[%{DATA:thread}\]\s+\[%{LOGLEVEL:level}\]\s+\[%{DATA:logger}\]\s+\=\>\s+(?<keyValuePairs>(?:\[[^\[\]\:]+\:(?:[^\[\]\:]*|%{TIMESTAMP_ISO8601})\])?(?:\s+\[[^\[\]\:]+\:(?:[^\[\]\:]*|%{TIMESTAMP_ISO8601})\])*)[\s+]*%{GREEDYDATA:text}"
]
}
}
kv {
source => "keyValuePairs"
field_split => " "
trim_key => "\["
trim_value => "\]"
value_split => ":"
remove_field => [ "keyValuePairs" ]
}
date {
match => ["logdate", "yyyy-MM-dd HH:mm:ss,SSS", "ISO8601"]
timezone => "Australia/Sydney"
target => "logdate"
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}