試過各種方法，最終存儲到es,發(fā)現(xiàn)在grok定義的變量%{}無法在后面獲取，最終es索引中只有一個(gè)message,沒有clientip、ident、auth之類變量，但是網(wǎng)上看到別人的都可以存儲input{file{path=>"/var/tomcat8/logs/vg_access_log*.txt"sincedb_path=>"/usr/local/logstash/etc/sincedb_tomcat_log.txt"type=>"tomcat_log"add_field=>{"tomcatip"=>"xxx"}}}filter{if[type]=="tomcat_log"{grok{match=>{"message"=>"%{IPORHOST:clientip}%{USER:ident}%{USER:auth}\[%{HTTPDATE:timestamp}\]\"(?:%{WORD:verb}%{URIPATHPARAM:request}(?:HTTP/%{NUMBER:httpversion})?|-)\"%{NUMBER:response}(?:%{NUMBER:bytes}|-)%{NUMBER:responsetime}\"(?:%{URI:referrer}|-)\"%{QS:agent}"}}kv{source=>"request"field_split=>"&?"value_split=>"="}date{match=>["timestamp","dd/MMM/yyyy:HH:mm:ssZ"]target=>["writetime"]}mutate{convert=>{"response"=>"integer""bytes"=>"integer""responsetime"=>"integer"}}}}output{if[type]=="tomcat_log"{elasticsearch{hosts=>["xxx:9200"]index=>"tomcat-log-%{+YYYY.MM.dd}"}}}