github-mirrors/logstash
1
0
Fork 0
mirror of https://github.com/elastic/logstash.git synced 2025-04-24 06:37:19 -04:00
Code Issues Projects Releases Packages Wiki Activity

Fix example and add couple of usage notes (#7374)

Browse source
This commit is contained in:
DeDe Morton 2017-06-15 11:33:46 -07:00 committed by GitHub
parent 5c8caed802
commit 72149f7374
1 changed files with 18 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

25
docs/static/advanced-pipeline.asciidoc vendored
View file

@ -41,7 +41,7 @@ directory, and replace the contents with the following lines. Make sure `paths`
[source,yaml]
--------------------------------------------------------------------------------
filebeat.prospectors:
- input_type: log
- type: log
paths:
- /path/to/file/logstash-tutorial.log <1>
output.logstash:
@ -62,6 +62,10 @@ At the data source machine, run Filebeat with the following command:
sudo ./filebeat -e -c filebeat.yml -d "publish"
--------------------------------------------------------------------------------
NOTE: If you run Filebeat as root, you need to change ownership of the configuration file (see
{libbeat}config-file-permissions.html[Config File Ownership and Permissions]
in the _Beats Platform Reference_).
Filebeat will attempt to connect on port 5043. Until Logstash starts with an active Beats plugin, there
wont be any answer on that port, so any messages you see regarding failure to connect on that port are normal for now.
@ -148,6 +152,10 @@ bin/logstash -f first-pipeline.conf --config.reload.automatic
The `--config.reload.automatic` option enables automatic config reloading so that you don't have to stop and restart Logstash
every time you modify the configuration file.
As Logstash starts up, you might see one or more warning messages about Logstash ignoring the `pipelines.yml` file. You
can safely ignore this warning. The `pipelines.yml` file is used for running <<multiple-pipelines,multiple pipelines>>
in a single Logstash instance. For the examples shown here, you are running a single pipeline.
If your pipeline is working correctly, you should see a series of events like the following written to the console:
[source,json]
@ -160,7 +168,7 @@ If your pipeline is working correctly, you should see a series of events like th
"hostname" => "My-MacBook-Pro.local",
"name" => "My-MacBook-Pro.local"
},
"input_type" => "log",
"type" => "log",
"host" => "My-MacBook-Pro.local",
"source" => "/path/to/file/logstash-tutorial.log",
"message" => "83.149.9.216 - - [04/Jan/2015:05:13:42 +0000] \"GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1\" 200 203023 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
@ -265,7 +273,10 @@ Next, restart Filebeat with the following command:
sudo ./filebeat -e -c filebeat.yml -d "publish"
--------------------------------------------------------------------------------
After processing the log file with the grok pattern, the events will have the following JSON representation:
There might be a slight delay before Filebeat begins processing events if it needs to wait for Logstash to reload the
config file.
After Logstash applies the grok pattern, the events will have the following JSON representation:
[source,json]
--------------------------------------------------------------------------------
@ -275,7 +286,7 @@ After processing the log file with the grok pattern, the events will have the fo
"offset" => 325,
"auth" => "-",
"ident" => "-",
"input_type" => "log",
"type" => "log",
"verb" => "GET",
"source" => "/path/to/file/logstash-tutorial.log",
"message" => "83.149.9.216 - - [04/Jan/2015:05:13:42 +0000] \"GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1\" 200 203023 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
@ -504,7 +515,7 @@ You should get multiple hits back. For example:
"offset" : 2932,
"auth" : "-",
"ident" : "-",
"input_type" : "log",
"type" : "log",
"verb" : "GET",
"source" : "/path/to/file/logstash-tutorial.log",
"message" : "83.149.9.216 - - [04/Jan/2015:05:13:45 +0000] \"GET /presentations/logstash-monitorama-2013/images/frontend-response-codes.png HTTP/1.1\" 200 52878 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
@ -586,7 +597,7 @@ A few log entries come from Buffalo, so the query produces the following respons
"offset" : 21471,
"auth" : "-",
"ident" : "-",
"input_type" : "log",
"type" : "log",
"verb" : "GET",
"source" : "/path/to/file/logstash-tutorial.log",
"message" : "108.174.55.234 - - [04/Jan/2015:05:27:45 +0000] \"GET /?flav=rss20 HTTP/1.1\" 200 29941 \"-\" \"-\"",
@ -682,7 +693,7 @@ directory, and replace the contents with the following lines. Make sure `paths`
[source,shell]
--------------------------------------------------------------------------------
filebeat.prospectors:
- input_type: log
- type: log
paths:
- /var/log/*.log <1>
fields: