插件配置

grok 正则捕获:grok 是Logstash 最重要的插件, 你可以在grok 里预定义好命名正则表达式,在稍后(grok 参数或者其他正则表达式里)引用它。2.3.3 GeoIP 地址查询；GeoIP 是最常见的免费IP地址归类查询库, 同时也有收费版可以采购。GeoIP库可以根据IP地址提供对应的地域信息,input {stdin {} }filter {  geoip {   source =>"message" }} output {      stdout {                        codec => rubydebug                } }183.60.92.253{       "message" => "183.60.92.253",      "@version" => "1",    "@timestamp" => "2016-08-23T08:45:29.159Z",          "host" => "0.0.0.0",         "geoip" => {                      "ip" => "183.60.92.253",           "country_code2" => "CN",           "country_code3" => "CHN",            "country_name" => "China",          "continent_code" => "AS",             "region_name" => "30",               "city_name" => "Guangzhou",                "latitude" => 23.11670000000001,               "longitude" => 113.25,                "timezone" => "Asia/Chongqing",        "real_region_name" => "Guangdong",                "location" => [            [0] 113.25,            [1] 23.11670000000001        ]    }}2.3.4 JSON 边解码:2.4 输出插件:输出到Elasticsearch:output {      if   [type] == "zj_nginx_access"{         elasticsearch {                hosts => "192.168.32.80:9200"                index => "logstash-zjzc-nginx-%{+YYYY.MM.dd}"        }stdout {codec => rubydebug}      }        else if  [type] == "uat_nginx_access"{      elasticsearch {                hosts => "192.168.32.81:9200"                index => "logstash-uat-nginx-%{+YYYY.MM.dd}"        }                stdout {                        codec => rubydebug                }     }}2.解释:索引名:写入的Elasticsearch 索引的名称, 这里可以使用变量。为了更贴合日志场景,Logstash提供了%{+YYYY.MM.dd} 这种写法。在语法解析的时候,看到以+号开头的,就会自动认为后面是时间格式。此外,注意索引名中不能有大写字母,否则Elasticsearch在日志中会报错协议 现在,新插件支持三种协议,node,http和transport