Logstash 简明教程
Logstash - Supported Outputs
Logstash 提供多个插件来支持各种数据存储或搜索引擎。日志的输出事件可以发送到输出文件、标准输出或 Elasticsearch 等搜索引擎。Logstash 中有三种类型的受支持输出,它们是:
Logstash provides multiple Plugins to support various data stores or search engines. The output events of logs can be sent to an output file, standard output or a search engine like Elasticsearch. There are three types of supported outputs in Logstash, which are −
-
Standard Output
-
File Output
-
Null Output
让我们现在详细讨论每一个这些。
Let us now discuss each of these in detail.
Standard Output (stdout)
它用于将经过筛选的日志事件生成为命令行界面的数据流。以下是生成数据库事务的总持续时间到 stdout 的示例。
It is used for generating the filtered log events as a data stream to the command line interface. Here is an example of generating the total duration of a database transaction to stdout.
logstash.conf
此配置文件包含一个 stdout 输出插件,用于将总 sql_duration 写入标准输出。
This config file contains a stdout output plugin to write the total sql_duration to a standard output.
input {
file {
path => "C:/tpwork/logstash/bin/log/input.log"
}
}
filter {
grok {
match => [
"message", "%{LOGLEVEL:loglevel} - %{NOTSPACE:taskid}
- %{NOTSPACE:logger} - %{WORD:label}( - %{INT:duration:int})?"
]
}
if [logger] == "TRANSACTION_START" {
aggregate {
task_id => "%{taskid}"
code => "map['sql_duration'] = 0"
map_action => "create"
}
}
if [logger] == "SQL" {
aggregate {
task_id => "%{taskid}"
code => "map['sql_duration'] ||= 0 ;
map['sql_duration'] += event.get('duration')"
}
}
if [logger] == "TRANSACTION_END" {
aggregate {
task_id => "%{taskid}"
code => "event.set('sql_duration', map['sql_duration'])"
end_of_task => true
timeout => 120
}
}
}
output {
if [logger] == "TRANSACTION_END" {
stdout {
codec => line{format => "%{sql_duration}"}
}
}
}Note − 请安装聚合过滤器,如果尚未安装的话。
Note − Please install the aggregate filter, if not installed already.
>logstash-plugin install Logstash-filter-aggregateRun Logstash
我们可以使用以下命令运行 Logstash。
We can run Logstash by using the following command.
>logstash –f logsatsh.confInput.log
以下代码块显示了输入日志数据。
The following code block shows the input log data.
INFO - 48566 - TRANSACTION_START - start
INFO - 48566 - SQL - transaction1 - 320
INFO - 48566 - SQL - transaction1 - 200
INFO - 48566 - TRANSACTION_END – endstdout (在 Windows 系统中是命令提示符,而在 UNIX 系统中是终端)
stdout (it will be command prompt in windows or terminal in UNIX)
这是总的 sql_duration 320 + 200 = 520。
This is the total sql_duration 320 + 200 = 520.
520File Output
Logstash 还可以将筛选日志事件存储到输出文件。我们将使用上述示例,并将输出存储在文件中而不是 STDOUT 中。
Logstash can also store the filter log events to an output file. We will use the above-mentioned example and store the output in a file instead of STDOUT.
logstash.conf
此 Logstash 配置文件将 Logstash 指示到将 total sql_duration 存储到输出日志文件中。
This Logstash config file direct Logstash to store the total sql_duration to an output log file.
input {
file {
path => "C:/tpwork/logstash/bin/log/input1.log"
}
}
filter {
grok {
match => [
"message", "%{LOGLEVEL:loglevel} - %{NOTSPACE:taskid} -
%{NOTSPACE:logger} - %{WORD:label}( - %{INT:duration:int})?"
]
}
if [logger] == "TRANSACTION_START" {
aggregate {
task_id => "%{taskid}"
code => "map['sql_duration'] = 0"
map_action => "create"
}
}
if [logger] == "SQL" {
aggregate {
task_id => "%{taskid}"
code => "map['sql_duration'] ||= 0 ;
map['sql_duration'] += event.get('duration')"
}
}
if [logger] == "TRANSACTION_END" {
aggregate {
task_id => "%{taskid}"
code => "event.set('sql_duration', map['sql_duration'])"
end_of_task => true
timeout => 120
}
}
}
output {
if [logger] == "TRANSACTION_END" {
file {
path => "C:/tpwork/logstash/bin/log/output.log"
codec => line{format => "%{sql_duration}"}
}
}
}Run logstash
我们可以使用以下命令运行 Logstash。
We can run Logstash by using the following command.
>logstash –f logsatsh.conf