Logstash 基础3_ 字节宝

-t 可以进行配置检查

start_position 代表从头开始读数据

grok geoip 是两个过滤插件

执行操作

代码语言：javascript复制

[root@h102 logstash]# /opt/logstash/bin/logstash -f first-pipeline.conf  
Settings: Default filter workers: 1
Logstash startup completed
2015-12-23T13:45:19.034Z h102.temp 83.149.9.216 - - [04/Jan/2015:05:13:42  0000] "GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1" 200 203023 "http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"
2015-12-23T13:45:19.037Z h102.temp 83.149.9.216 - - [04/Jan/2015:05:13:42  0000] "GET /presentations/logstash-monitorama-2013/images/kibana-dashboard3.png HTTP/1.1" 200 171717 "http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"
2015-12-23T13:45:19.037Z h102.temp 83.149.9.216 - - [04/Jan/2015:05:13:44  0000] "GET /presentations/logstash-monitorama-2013/plugin/highlight/highlight.js HTTP/1.1" 200 26185 "http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"
...
...

elasticsearch中检索

使用下面的方式进行检索

查返回状态为 404 和 304的

代码语言：javascript复制

[root@h102 ~]# curl -XGET 'localhost:9200/logstash-2015.12.23/_search?q=response=404'
{"took":3,"timed_out":false,"_shards":{"total":5,"successful":5,"failed":0},"hits":{"total":2,"max_score":1.5351382,"hits":[{"_index":"logstash-2015.12.23","_type":"logs","_id":"AVHPFktn70zKhyBEHGid","_score":1.5351382,"_source":{"message":"66.249.73.185 - - [04/Jan/2015:05:22:13  0000] "GET /doc/index.html?org/elasticsearch/action/search/SearchResponse.html HTTP/1.1" 404 294 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"","@version":"1","@timestamp":"2015-12-23T13:45:22.565Z","host":"h102.temp","path":"/root/logstash/logstash-tutorial.log","clientip":"66.249.73.185","ident":"-","auth":"-","timestamp":"04/Jan/2015:05:22:13  0000","verb":"GET","request":"/doc/index.html?org/elasticsearch/action/search/SearchResponse.html","httpversion":"1.1","response":"404","bytes":"294","referrer":""-"","agent":""Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"","geoip":{"ip":"66.249.73.185","country_code2":"US","country_code3":"USA","country_name":"United States","continent_code":"NA","region_name":"CA","city_name":"Mountain View","latitude":37.385999999999996,"longitude":-122.0838,"dma_code":807,"area_code":650,"timezone":"America/Los_Angeles","real_region_name":"California","location":[-122.0838,37.385999999999996]}}},{"_index":"logstash-2015.12.23","_type":"logs","_id":"AVHPFktm70zKhyBEHGhn","_score":1.4070371,"_source":{"message":"83.149.9.216 - - [04/Jan/2015:05:13:45  0000] "GET /presentations/logstash-monitorama-2013/images/frontend-response-codes.png HTTP/1.1" 200 52878 "http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"","@version":"1","@timestamp":"2015-12-23T13:45:19.047Z","host":"h102.temp","path":"/root/logstash/logstash-tutorial.log","clientip":"83.149.9.216","ident":"-","auth":"-","timestamp":"04/Jan/2015:05:13:45  0000","verb":"GET","request":"/presentations/logstash-monitorama-2013/images/frontend-response-codes.png","httpversion":"1.1","response":"200","bytes":"52878","referrer":""http://semicomplete.com/presentations/logstash-monitorama-2013/"","agent":""Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"","geoip":{"ip":"83.149.9.216","country_code2":"RU","country_code3":"RUS","country_name":"Russian Federation","continent_code":"EU","region_name":"48","city_name":"Moscow","latitude":55.75219999999999,"longitude":37.6156,"timezone":"Europe/Moscow","real_region_name":"Moscow City","location":[37.6156,55.75219999999999]}}}]}}[root@h102 ~]# 
[root@h102 ~]# 
[root@h102 ~]# 
[root@h102 ~]# curl -XGET 'localhost:9200/logstash-2015.12.23/_search?q=response=304&pretty'
{
  "took" : 6,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "failed" : 0
  },
  "hits" : {
    "total" : 2,
    "max_score" : 1.570033,
    "hits" : [ {
      "_index" : "logstash-2015.12.23",
      "_type" : "logs",
      "_id" : "AVHPFktm70zKhyBEHGhn",
      "_score" : 1.570033,
      "_source":{"message":"83.149.9.216 - - [04/Jan/2015:05:13:45  0000] "GET /presentations/logstash-monitorama-2013/images/frontend-response-codes.png HTTP/1.1" 200 52878 "http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"","@version":"1","@timestamp":"2015-12-23T13:45:19.047Z","host":"h102.temp","path":"/root/logstash/logstash-tutorial.log","clientip":"83.149.9.216","ident":"-","auth":"-","timestamp":"04/Jan/2015:05:13:45  0000","verb":"GET","request":"/presentations/logstash-monitorama-2013/images/frontend-response-codes.png","httpversion":"1.1","response":"200","bytes":"52878","referrer":""http://semicomplete.com/presentations/logstash-monitorama-2013/"","agent":""Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"","geoip":{"ip":"83.149.9.216","country_code2":"RU","country_code3":"RUS","country_name":"Russian Federation","continent_code":"EU","region_name":"48","city_name":"Moscow","latitude":55.75219999999999,"longitude":37.6156,"timezone":"Europe/Moscow","real_region_name":"Moscow City","location":[37.6156,55.75219999999999]}}
    }, {
      "_index" : "logstash-2015.12.23",
      "_type" : "logs",
      "_id" : "AVHPFlOg70zKhyBEHGi0",
      "_score" : 1.570033,
      "_source":{"message":"218.30.103.62 - - [04/Jan/2015:05:27:36  0000] "GET /projects/xdotool/xdotool.xhtml HTTP/1.1" 304 - "-" "Sogou web spider/4.0( http://www.sogou.com/docs/help/webmasters.htm#07)"","@version":"1","@timestamp":"2015-12-23T13:45:22.923Z","host":"h102.temp","path":"/root/logstash/logstash-tutorial.log","clientip":"218.30.103.62","ident":"-","auth":"-","timestamp":"04/Jan/2015:05:27:36  0000","verb":"GET","request":"/projects/xdotool/xdotool.xhtml","httpversion":"1.1","response":"304","referrer":""-"","agent":""Sogou web spider/4.0( http://www.sogou.com/docs/help/webmasters.htm#07)"","geoip":{"ip":"218.30.103.62","country_code2":"CN","country_code3":"CHN","country_name":"China","continent_code":"AS","region_name":"22","city_name":"Beijing","latitude":39.9289,"longitude":116.38830000000002,"timezone":"Asia/Harbin","real_region_name":"Beijing","location":[116.38830000000002,39.9289]}}
    } ]
  }
}
[root@h102 ~]#

elasticsearch position 插件配置

0 人点赞