I'm testing logstash, and my test.conf is as below:
input {
exec {
command => "tail /var/log/testx.log"
interval => 5
type => "testx"
}
exec {
command => "tail /var/log/testy.log"
interval => 5
type => "testy"
}
}
filter {
if [type] == "testx" {
grok {
patterns_dir => "/home/test/logstash.patterns"
match => {"message" => "%{MYLOG}"}
}
}
if [type] == "testy" {
grok {
patterns_dir => "/home/test/logstash.patterns"
match => {"message" => "%{MYLOG}"}
}
}
}
output {
if [type] == "testx" {
file {
codec => "json"
path => "/tmp/testx.json"
}
}
if [type] == "testy" {
file {
codec => "json"
path => "/tmp/testy.json"
}
}
}
Trouble is, I got no way to get this simple conf working, either only got one json file output, or none of them, what's wrong with it, what is best way in my case of multi-inputs, multi-filters, multi-outputs?
first, that tail command is very weird, why don't you just read the file?
second for each if [..] { ...} , link then with if [..] { ... } else if [..] { ..} else {.. } as it is faster... if one event is from one type, it can't be from other types
finally, it is hard to know remotely why it fails, but use the KISS (keep it simple and stupid)
Start with one input, no filter, debug output (ie: log or stdout) , then add the 2 inputs, then one filters, then 2 and if all is ok, start to mess with the output. On the ouput do not forget to put a else { .. } to catch any other even that do not bring the correct type, as you can catch errors with it. I use /var/log/logstash/broken.log and i check it every few days/weeks to fix any broken log/event
Looking to the debug ouput, you will see what each event have and what fields it is bringing
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
