output.redis:
hosts: ["localhost"]
keys:
- key: "info_list" # send to info_list if `message` field contains INFO
when.contains:
message: "INFO"
- key: "debug_list" # send to debug_list if `message` field contains DEBUG
when.contains:
message: "DEBUG"
- key: "%{[type]}"
mapping:
"http": "frontend_list"
"nginx": "frontend_list"
"mysql": "backend_list"
when type is http, and there's 'http' key in redis, but frontend_list not.
steffens
June 19, 2017, 9:49am
2
Filebeat version?
Do you have a more complete filebeat configuration? Do you set the document_type to http in the prospector?
Thanks steffens.
Filebeat 5.2.2
here is my full configuration:
---
filebeat:
logging.files:
keepfiles: 3
name: filebeat.log
path: /var/log/filebeat
logging.level: warning
logging.to_files: true
prospectors:
- document_type: nginx
input_type: log
max_lines: 100
multiline.match: after
multiline.negate: true
multiline.pattern: ^\w*\s-\s[0-9]{4}-[0-9]{2}-[0-9]{2}
paths:
- /usr/local/xxxx/log/bbb.log
- /usr/local/xxxx/log/xxx.log
tail_files: true
timeout: 3s
- document_type: http
input_type: log
max_lines: 100
multiline.match: after
multiline.negate: true
multiline.pattern: ^\w*\s-\s[0-9]{4}-[0-9]{2}-[0-9]{2}
paths:
- /usr/local/xxxxxx/log/xxx.log
tail_files: true
timeout: 3s
output:
redis:
db: '0'
hosts:
- xxxxx.com:6379
key: 'default_key'
keys:
- key: "info_list"
when.contains:
message: "INFO"
- key: "%{[type]}"
mapping:
"http": "frontend_list"
"nginx": "frontend_list"
"mysql": "backend_list"
timeout: 5
steffens
June 20, 2017, 9:12am
4
looks like a typo. It must say mappings, not mapping in the configuration file.
system
July 18, 2017, 9:27am
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.