matutter · June 24, 2018 16:35
diff --git a/example.log b/example.log
 2018-06-24 09:34:16 main INFO { "event": "wing", "data": "wong" }
 2018-06-24 09:34:16 main DEBUG { "event": "ping", "data": "pong" }
 2018-06-24 09:34:16 main WARNING { "event": "ding", "data": "dong" }
 2018-06-24 09:34:16 main CRITICAL { "event": "ping", "data": "pong" }
 2018-06-24 09:34:21 main INFO { "event": "wing", "data": "wong" }
 2018-06-24 09:34:21 main DEBUG { "event": "ping", "data": "pong" }
 2018-06-24 09:34:21 main WARNING { "event": "ding", "data": "dong" }
 2018-06-24 09:34:21 main CRITICAL { "event": "ping", "data": "pong" }
 2018-06-24 09:34:26 main INFO { "event": "wing", "data": "wong" }
 2018-06-24 09:34:26 main DEBUG { "event": "ping", "data": "pong" }
 2018-06-24 09:34:26 main WARNING { "event": "ding", "data": "dong" }
 2018-06-24 09:34:26 main CRITICAL { "event": "ping", "data": "pong" } 
diff --git a/logstash.conf b/logstash.conf
 #/etc/logstash/conf.d/logstash.conf

 input {
  beats {
    port => "5044"
    type => "special"
  }
 }

 filter {
  if [type] == "special" {
    # strip ANSI color sequences
    mutate {
      gsub => ["message", "\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]", ""]
    }
    # Parse some generic message
    grok {
      match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{WORD:api} %{WORD:level} %{GREEDYDATA:event}" }
    }
    # Override @timestamp for time index
    date {
      match => [ "timestamp", "YYYY-MM-dd HH:mm:ss" ]
    }
    # Declare some embedded JSON data in the message
    json{
      source => "event"
      target => "JSONData"
      remove_field=>["event"]
    }
    # Pull out some JSON fields into plain-text fields
    mutate {
      add_field => {
        "event" => "%{[JSONData][event]}"
        "data" => "%{[JSONData][data]}"
      }
    }
  }
 }

 output {
  if [type] == "special" {
    elasticsearch {
      hosts => [ "localhost:9200" ]
      index => "special-%{+YYYY.MM.dd}"
    }
  }
 }
	2018-06-24 09:34:16 main INFO { "event": "wing", "data": "wong" }
	2018-06-24 09:34:16 main DEBUG { "event": "ping", "data": "pong" }
	2018-06-24 09:34:16 main WARNING { "event": "ding", "data": "dong" }
	2018-06-24 09:34:16 main CRITICAL { "event": "ping", "data": "pong" }
	2018-06-24 09:34:21 main INFO { "event": "wing", "data": "wong" }
	2018-06-24 09:34:21 main DEBUG { "event": "ping", "data": "pong" }
	2018-06-24 09:34:21 main WARNING { "event": "ding", "data": "dong" }
	2018-06-24 09:34:21 main CRITICAL { "event": "ping", "data": "pong" }
	2018-06-24 09:34:26 main INFO { "event": "wing", "data": "wong" }
	2018-06-24 09:34:26 main DEBUG { "event": "ping", "data": "pong" }
	2018-06-24 09:34:26 main WARNING { "event": "ding", "data": "dong" }
	2018-06-24 09:34:26 main CRITICAL { "event": "ping", "data": "pong" }
	#/etc/logstash/conf.d/logstash.conf

	input {
	beats {
	port => "5044"
	type => "special"
	}
	}

	filter {
	if [type] == "special" {
	# strip ANSI color sequences
	mutate {
	gsub => ["message", "\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m\|K]", ""]
	}
	# Parse some generic message
	grok {
	match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{WORD:api} %{WORD:level} %{GREEDYDATA:event}" }
	}
	# Override @timestamp for time index
	date {
	match => [ "timestamp", "YYYY-MM-dd HH:mm:ss" ]
	}
	# Declare some embedded JSON data in the message
	json{
	source => "event"
	target => "JSONData"
	remove_field=>["event"]
	}
	# Pull out some JSON fields into plain-text fields
	mutate {
	add_field => {
	"event" => "%{[JSONData][event]}"
	"data" => "%{[JSONData][data]}"
	}
	}
	}
	}

	output {
	if [type] == "special" {
	elasticsearch {
	hosts => [ "localhost:9200" ]
	index => "special-%{+YYYY.MM.dd}"
	}
	}
	}