How should I modify logstash.conf to get the field I want?
I use the ELK + Filebeat , all version is 6.4.3 , the OS is windows 10
I add custom field in filebeat.yml , the key name is log_type , the value of log_type is nginx-access
The picture show part of filebeat.yml.
The content of logstash.conf is :
input {
beats {
host => "0.0.0.0"
port => "5544"
}
}
filter {
mutate {
rename => { "[host][name]" => "host" }
}
if [fields][log_type] == "nginx-access" {
grok {
match => { "message" => ["%{IPORHOST:[nginx][access][remote_ip]} - %{DATA:[nginx][access][user_name]} \[%{HTTPDATE:[nginx][access][time]}\] \"%{WORD:[nginx][access][method]} %{DATA:[nginx][access][url]} HTTP/%{NUMBER:[nginx][access][http_version]}\" %{NUMBER:[nginx][access][response_code]} %{NUMBER:[nginx][access][body_sent][bytes]} \"%{DATA:[nginx][access][referrer]}\" \"%{DATA:[nginx][access][agent]}\" \"%{DATA:[nginx][access][x_forwarded_for]}\" %{NUMBER:[nginx][access][request_time]}"] }
}
mutate {
copy => { "[nginx][access][request_time]" => "[nginx][access][requesttime]" }
}
mutate {
convert => {
"[nginx][access][requesttime]" => "float"
}
}
}
}
output {
stdout {
codec => rubydebug { metadata => true }
}
elasticsearch {
hosts => ["localhost:9200"]
}
}
When I use the command :
logstash.bat -f logstash.conf
The output is :
Question 1:
The field in the red box above is "requesttime" and "request_time" , what I want the field is nginx.access.requesttime and nginx.access.request_time,not requesttime and request_time 。 How should I modify logstash.conf to achieve my goal?
Question 2:
When I use the above logstash.conf , the field of the kibana management interface is only "request_time" field .
The picture show this :
If I want the "nginx.access.requesttime" field to also appear in the fields of the Kibana management interface, how should I modify the logstash.conf ?
Question 1:
I believe what you are looking for is
mutate {
copy => { "[nginx][access][request_time]" => "nginx.access.requesttime" }
}
Question 2:
Whethere something is a keyword is determined by the template field mapping in Elasticsearch. Try the option above and see if the issue resolved.
This issue in elastic forum may help you.
- How to enable .htaccess support with PHP-FPM, Nginx, and Apache2 on Ubuntu 24.04 with FastPanel?
- How to simulate DDOS/Slashdotting?
- How can I allow access to a single IP address via Nginx.conf?
- Is there a way to generate a helm install script from a ConfigMap?
- FastAPI with nginx does not serve static files in HTTPS
- NGINX reverse proxy returns HTTP 400 with a invalid header line for my flutter app.Works fine in Postman
- File copied in dockerfile: Not found if in specific location
- CentOS 7 - NGINX - DNS Load Balance
- What is the right way to declare memory resource in AWS ECS task definition for Docker Nginx?
- nginx "server_tokens off" does not remove the server header
- How to correctly run streamlit app with nginx on https?
- nginx in docker 502
- How to parse several log nginx files using goaccess
- Conditional set up of a proxy server on Server A that allows Server B to perform Docker operations through a http proxy
- HTTP to HTTPS Nginx too many redirects
- Permission Denied on Socket File - NGINX + Gunicorn + Flask
- Are location specific logfiles treated different?
- nginx the "ssl" directive is deprecated, use the "listen ... ssl"
- Run Nginx as Windows service
- Unicode special character U+FFFD returning from my Nest.JS API, but only sometimes
- SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
- fatal: repository not found, 404
- Undefined variable $form on remote server
- nginx how to check the value of optional header
- Pm2 process stops running automatically in ubuntu server
- NGINX Ingress Controller Proxying Websocket Connections
- Why is the initial connection time for a HTTP request so long?
- Nginx Error 413 Entity too large on AWS ELB
- Connection Refused Between SSR Next.js and Laravel API
- Kubernetes nginx Ingress rewrite-target results in double slash