logstash的配置中加入了 stdout {codec=>rubydebug} 是为了方便在终端监视信息(在实际应用中完全没有必要),经过一番刷屏,最终停了下来
数据导入之前es里是这样的
代码语言:javascript复制[root@h102 etc]# curl localhost:9200/_cat/indices?v
health status index pri rep docs.count docs.deleted store.size pri.store.size
yellow open filebeat-2015.12.24 5 1 3182 0 1mb 1mb
yellow open logstash-2015.12.23 5 1 100 0 235.8kb 235.8kb
yellow open logstash-2015.12.22 5 1 41 0 126.5kb 126.5kb
yellow open .kibana 1 1 94 0 102.3kb 102.3kb
[root@h102 etc]#导入之后是这样的
代码语言:javascript复制[root@h102 ~]# curl localhost:9200/_cat/indices?v
health status index pri rep docs.count docs.deleted store.size pri.store.size
yellow open filebeat-2015.12.24 5 1 3182 0 1mb 1mb
yellow open logstash-2015.12.23 5 1 100 0 235.8kb 235.8kb
yellow open logstash-2015.12.22 5 1 41 0 126.5kb 126.5kb
yellow open filebeat-2016.01.05 5 1 4182 0 1.3mb 1.3mb
yellow open .kibana 1 1 94 0 102.3kb 102.3kb
[root@h102 ~]# 多了一个 filebeat-2016.01.05
查看数据
代码语言:javascript复制[root@h102 ~]# curl -XGET 'localhost:9200/filebeat-2016.01.05/_search?q=message=2935&pretty'
{
"took" : 9,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 1,
"max_score" : 2.3564386,
"hits" : [ {
"_index" : "filebeat-2016.01.05",
"_type" : "log",
"_id" : "AVIQ3fOb0svkz_zfzuMm",
"_score" : 2.3564386,
"_source":{"message":"Jan 5 16:18:37 h102 dhclient[1624]: bound to 192.168.1.117 -- renewal in 2935 seconds.","@version":"1","@timestamp":"2016-01-05T08:18:39.119Z","beat":{"hostname":"h102.temp","name":"h102.temp"},"count":1,"fields":null,"input_type":"log","offset":166773,"source":"/var/log/messages","type":"log","host":"h102.temp"}
} ]
}
}
[root@h102 ~]#
