logstash输出多个索引样式（顶级字段与二级字段）

filebeat配置

#表示的是会把 service作为fields的二级字段
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/aa.log
  fields: 
    service: aa

- type: log
  enabled: true
  paths:
    - /var/log/messages*
  fields:
    service: message

fields_under_root：如果该选项设置为true，则新增fields成为顶级目录，而不是将其放在fields目录下。自定义的field会覆盖filebeat默认的field。例如添加如下配置：

#表示的是会把 service作为fields顶级字段
fields:
  service: message
fields_under_root: true

logstash配置

#表示的是会把 service作为fields的二级字段logstash配置
output {
  stdout {
    codec => json
  }
  elasticsearch {
    hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"]
    ssl => true
    cacert => "/home/logstash/logstash-7.5.1/config/certs/ca.crt"
    index => "logstash-%{[fields][service]}-%{+YYYY.MM.dd}"
    user => "logstash_writer"
    password => "logstash"
  }
}

#表示的是会把 service作为fields的顶级字段logstash配置

output {
  stdout {
    codec => json
  }
  elasticsearch {
    hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"]
    ssl => true
    cacert => "/home/logstash/logstash-7.5.1/config/certs/ca.crt"
    index => "logstash-%{[service]}-%{+YYYY.MM.dd}"
    user => "logstash_writer"
    password => "logstash"
  }
}

也可以这样写

if [fields][service] == 'aa' {
    elasticsearch {
      hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"]
      index => "logstash-aa-%{+YYYY.MM.dd}" 
      user => "logstash_writer" 
      password => "logstash" 
    } 
} 

if [fields][service] == "messages" { 
    elasticsearch { 
      hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"]
      index => "logstash-messages-%{+YYYY.MM.dd}" 
      user => "logstash_writer" 
      password => "logstash" 
    } 
}