问题
I am using Filebeat to ship log data from my local txt files into Elasticsearch, and
I want to add some fields from the message line to the event - like timestamp and log level. For example here is one of my log lines:
2016-09-22 13:51:02,877 INFO 'start myservice service'
My question is: Can I do that by Filebeat -> Elasticsearch or must I go through Logstash?
回答1:
You can use Filebeat -> Elasticsearch if you make use of the Ingest Node feature in Elasticsearch 5.0. Otherwise, yes, you need to use Logstash.
In both cases you would use a grok filter to parse the message line into structured data. Also you'll want to use a date to parse and normalize the date.
来源:https://stackoverflow.com/questions/40460830/filebeat-parse-fields-from-message-line