[root@elkstack-1 ~]\# vim /data/elk/logstash/conf.d/nginx_tomcat.conf
path => "/var/log/test/nginx.log"
"app" => "nginx" #搜集nginx的日志,在日志中增加一个app=nginx的字段
path => "/var/log/test/tomcat.log"
if [app] in ["nginx","tengine"] { #判断app的字段值为nginx或者tengine
"[@metadata][target_index]" => "nginx-app-%{+YYYY.MM.dd}" #声明字段是元数据,字段名为target_index,值为nginx日志存储的索引库名称
else if [app] == "tomcat" { #判断app的字段值为tomcat
"[@metadata][target_index]" => "tomcat-app-%{+YYYY.MM.dd}" #声明字段是元数据,字段名为target_index,值为tomcat日志存储的索引库名称
else { #如果所有条件都不满足,那么就存储到下面的这个索引库
"[@metadata][target_index]" => "unknown-app-%{+YYYY.MM.dd}" #值为unknown
hosts => ["192.168.20.11:9200","192.168.20.12:9200","192.168.20.13:9200"]
index => "%{[@metadata][target_index]}" #引用元数据target_index,将对应的日志存储到对应的索引库中
[root@elkstack-1 conf.d]\# systemctl restart logstash
