svnshikhil
12/14/2017 - 9:08 AM
Get started with logstash
http://localhost:9200/vision*/_settings
{
"index.mapping.total_fields.limit": 10000000
}# Apply Mapping
# Create an index called my_index.
# Add a mapping type called doc.
# Specify fields or properties.
# Specify the data type and mapping for each field.
curl -XPUT 'localhost:9200/my_index?pretty' -H 'Content-Type: application/json' -d'
{
"mappings": {
"doc": {
"properties": {
"speaker": {"type": "keyword"},
"play_name": {"type": "keyword"},
"line_id": {"type": "integer"},
"speech_number": {"type": "integer"}
}
}
}
}'
# Sameple log======> apache.log
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 "http://www.example.com/start.html" "Mozilla/4.08 [en] (Win98; I ;Nav)"
# Sample config ===>
input{
file{
path => "<path>apache.log"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => plain {
charset => "ISO-8859-15"
}
}
}
filter{
grok{
match => { "message" => "%{IP:client}%{SPACE}-%{SPACE}%{WORD:auth}" }
}
}
output{
elasticsearch{
hosts => ["localhost:9200"]
index => "test-log"
}
stdout {
codec => "rubydebug"
}
}
# bin/logstash -f apache.conf# Download the logstash
# Change dir
# Create config file
$ vim <name>.conf
input { stdin { } }
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}
# Run logstash
$ bin/logstash -f logstash-simple.conf
--------------------------------------------------------------------------------