我有两种types的日志文件:从ETL进程输出,然后从下游处理器输出。 我们称之为“ETL”和“处理器”日志。
ETL日志位于日志目录下的自己的文件夹中,而处理器日志则位于同一个目录中。
所以,我有一个像这样的文件夹结构:
/Archive /DataLoader_Supplemental /DataLoader_ETLForRequestID_1 /(...40 log files) /DataLoader_ETLForRequestID_2 /(...40 log files) DataLoader_Processor_123.log DataLoader_Processor_456.log 每个日志的样式都是一样的(因为我可以使用相同的grok)。
我希望将这两种日志types都放入与不同types相同的ElasticSearch索引中,以便查询它们。
在将其指向只有一种types的日志( *.log在特定的ETL请求文件夹中)时,我能够做到这一点。
但是,我似乎无法使用两种不同types的工作,或者使其工作来扫描所有ETL文件夹并提取所有日志。
我究竟做错了什么?
input { file { path => '//MyFileServer/DATALOADER-TST/Archive/DataLoader_Supplemental/DataLoader_ETLForRequestID**/*.log' type => "etl" sincedb_path => "C:/Users/skilleen/Desktop/temp/logstash/target/.sincedb.etl.log" start_position => "beginning" } file { path => '//MyFileServer/DATALOADER-TST/Archive/DataLoader_Supplemental/*.log' type => "processor" sincedb_path => "C:/Users/skilleen/Desktop/temp/logstash/target/.sincedb.processor.log" start_position => "beginning" } } filter { grok { match => { "message" => "%{DATESTAMP:datestamp} %{ISO8601_TIMEZONE:tzoffset} %{SYSLOG5424SD:loglevel}" } } } output { elasticsearch { protocol => "http" host => "localhost:9200" index => "dataloaderlogstst" } }
Logstash似乎正在处理一些东西,我看到了创build的sincedb文件; 但是,索引从来不会在ElasticSearch上创build。
更新 :经过一番耐心之后,看起来ETL日志被导入到ElasticSearch,而处理器日志不是。
[2015-08-05 08:43:38,282][INFO ][node ] [Isis] version[1.7.1], pid[22120], build[b88f43f/2015-07-29T09:54:16Z] [2015-08-05 08:43:38,283][INFO ][node ] [Isis] initializing ... [2015-08-05 08:43:38,356][INFO ][plugins ] [Isis] loaded [], sites [HQ] [2015-08-05 08:43:38,428][INFO ][env ] [Isis] using [1] data paths, mounts [[OS (C:)]], net usable_space [40.2gb], net total_space [223.2gb], types [NTFS] [2015-08-05 08:43:41,605][INFO ][node ] [Isis] initialized [2015-08-05 08:43:41,606][INFO ][node ] [Isis] starting ... [2015-08-05 08:43:42,292][INFO ][transport ] [Isis] bound_address {inet[/0:0:0:0:0:0:0:0:9300]}, publish_address {inet[/172.16.85.21:9300]} [2015-08-05 08:43:42,568][INFO ][discovery ] [Isis] elasticsearch/74dbAjLJQj62k6z83LkLog [2015-08-05 08:43:46,339][INFO ][cluster.service ] [Isis] new_master [Isis][74dbAjLJQj62k6z83LkLog][DCSKILLEEN][inet[/172.16.85.21:9300]], reason: zen-disco-join (elected_as_master) [2015-08-05 08:43:46,383][INFO ][gateway ] [Isis] recovered [1] indices into cluster_state [2015-08-05 08:43:46,764][INFO ][http ] [Isis] bound_address {inet[/0:0:0:0:0:0:0:0:9200]}, publish_address {inet[/172.16.85.21:9200]} [2015-08-05 08:43:46,766][INFO ][node ] [Isis] started [2015-08-05 09:10:13,149][INFO ][cluster.metadata ] [Isis] [dataloaderlogstst] creating index, cause [auto(bulk api)], templates [], shards [5]/[1], mappings [etl] [2015-08-05 09:10:13,294][INFO ][cluster.metadata ] [Isis] [dataloaderlogstst] update_mapping [etl] (dynamic) [2015-08-05 09:10:14,097][INFO ][cluster.metadata ] [Isis] [dataloaderlogstst] update_mapping [etl] (dynamic)
C:\Users\skilleen\Downloads\logstash-1.5.3\logstash-1.5.3\bin>logstash agent -f logstash.conf io/console not supported; tty will not be manipulated '[DEPRECATED] use `require 'concurrent'` instead of `require 'concurrent_ruby'` Logstash startup completed