input {
stdin{
}
}
filter {
grok {
match => { "message" => ["%{IPORHOST:[nginx][access][remote_ip]} - %{DATA:[nginx][access][user_name]} [%{HTTPDATE:[nginx][access][time]}] "%{WORD:[nginx][access][method]} %{DATA:[nginx][access][url]} HTTP/%{NUMBER:[nginx][access][http_version]}" %{NUMBER:[nginx][access][response_code]} %{NUMBER:[nginx][access][body_sent][bytes]} "%{DATA:[nginx][access][referrer]}" "%{DATA:[nginx][access][agent]}""] }
remove_field => "message"
}
mutate {
add_field => { "read_timestamp" => "%{@timestamp}" }
}
date {
match => [ "[nginx][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
remove_field => "[nginx][access][time]"
}
useragent {
source => "[nginx][access][agent]"
target => "[nginx][access][user_agent]"
remove_field => "[nginx][access][agent]"
}
mutate{
convert => { "[nginx][access][body_sent][bytes]" => "integer" }
}
}
output {
elasticsearch {
hosts => [ "localhost" ]
index => "logstash-%{+YYYY.MM.dd}"
}
}
时间轴
.es(index=logstash*, timefield='@timestamp', q=nginx.access.response_code:200).label('OK'), .es(index=logstash*, timefield='@timestamp', q=nginx.access.response_code:404).label('Page Not Found')