自定义字段
自定义pipline
1. 进入Stack Management > Ingest Node Pipelines > Create a pipeline
1.1 k8s-freeswitch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
[
{
"script": {
"lang": "painless",
"source": "ctx.message = ctx.message.substring(0, 8192)",
"if": "ctx.message.length() > 8192"
}
},
{
"set": {
"field": "system.syslog.text",
"value": "{{message}}"
}
},
{
"set": {
"field": "system.syslog.location",
"value": "freeswitchserv"
}
},
{
"remove": {
"field": [
"message",
"agent",
"ecs.version",
"input.type",
"host.name"
]
}
},
{
"dissect": {
"field": "log.file.path",
"pattern": "/logs/%{system.syslog.app_ns}/%{system.syslog.app_id}/%{system.syslog.app_ip}/%{system.syslog.app_uid}/%{log.type}.log",
"ignore_failure": true
}
},
{
"date": {
"field": "@timestamp",
"target_field": "@timestamp",
"formats": [
"ISO8601"
],
"timezone": "Asia/Shanghai"
}
}
]
1.2 log4j-for-k8s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
[
{
"script": {
"lang": "painless",
"source": "ctx.message = ctx.message.substring(0, 8192)",
"if": "ctx.message.length() > 8192"
}
},
{
"script": {
"lang": "painless",
"source": "ctx.is_slow_query = ctx.message.contains('slow sql') || ctx.message.contains('Slow mongo') ? true : false"
}
},
{
"script": {
"lang": "painless",
"source": "ctx.is_contains_lookup = ctx.message.contains('${jndi') ? true : false"
}
},
{
"grok": {
"field": "message",
"patterns": [
"%{TIMESTAMP_ISO8601:system.syslog.timestamp}:%{DATA:apache2.error.level} %{DATA:system.syslog.pid} %{DATA:system.syslog.trace_id} %{DATA:system.syslog.span_id} %{GREEDYMULTILINE:system.syslog.text}"
],
"pattern_definitions": {
"GREEDYMULTILINE": "(.|\n)*"
},
"ignore_missing": true
}
},
{
"dissect": {
"field": "system.syslog.text",
"pattern": "(%{system.syslog.location}) %{?detail}",
"on_failure": [
{
"set": {
"field": "system.syslog.location",
"value": "location"
}
}
]
}
},
{
"remove": {
"field": [
"message",
"agent",
"ecs.version",
"input.type",
"host.name"
]
}
},
{
"dissect": {
"field": "log.file.path",
"pattern": "/logs/%{system.syslog.app_ns}/%{system.syslog.app_id}/%{system.syslog.app_ip}/%{system.syslog.app_uid}/%{log.type}.log",
"ignore_failure": true
}
},
{
"date": {
"field": "system.syslog.timestamp",
"target_field": "@timestamp",
"formats": [
"yyyy-MM-dd HH:mm:ss,SSS"
],
"timezone": "Asia/Shanghai"
}
}
]
1.3 kamailio
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
[
{
"script": {
"lang": "painless",
"source": "ctx.message = ctx.message.substring(0, 8192)",
"if": "ctx.message.length() > 8192"
}
},
{
"grok": {
"field": "message",
"patterns": [
"%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{IPORHOST:hostname} %{WORD:identifier} %{NUMBER:process_id}\\(%{NUMBER:thread_count}\\) %{LOGLEVEL:log_level}: %{GREEDYDATA:system.syslog.text}"
]
}
},
{
"set": {
"field": "system.syslog.location",
"value": "kamailio"
}
},
{
"remove": {
"field": [
"message",
"agent",
"ecs.version"
]
}
},
{
"date": {
"field": "system.syslog.timestamp",
"target_field": "@timestamp",
"formats": [
"yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXX"
],
"timezone": "Asia/Shanghai"
}
}
]
本文由作者按照
CC BY 4.0
进行授权