Work-configuration-file/filebast/海外148/filebeat.yml

setup.template.enabled: true
setup.ilm.enabled: true
setup.template.name: "out-148-flymoonlog"
setup.template.pattern: "out-148-flymoonlog*"



#主配置文件加载子配置文件
filebeat.config.inputs:
  enabled: true
  path: /etc/filebeat/inputs.d/*.yml
  reload.enabled: true
  reload.period: 10s



# 处理器
processors:
  ## 针对 influencer_im.log 的 dissect（基础字段分解）
  - dissect:
      when:
        equals:
          log_type: influencer_search.log
      tokenizer: '%{timestamp} - %{module} - %{level} - %{raw_tail}'
      field: "message"
      target_prefix: "mylog"
      ignore_missing: true
      overwrite_keys: true

  # 从 message 中提取 user_email
  - dissect:
      when:
        equals:
          log_type: influencer_search.log
      tokenizer: '[user_email: %{user_email}] %{tail}'
      field: "mylog.raw_tail"
      target_prefix: "mylog"
      ignore_missing: true
      overwrite_keys: true

  # 提取 conversation_id
  - dissect:
      when:
        equals:
          log_type: influencer_search.log
      tokenizer: '[conversation_id: %{conversation_id}] %{tail}'
      field: "mylog.tail"
      target_prefix: "mylog"
      ignore_missing: true
      overwrite_keys: true






  ## 针对 influencer_5002.log 的 dissect（基础字段分解）
  - dissect:
      when:
        equals:
          log_type: influencer_5002.log
      tokenizer: '%{timestamp} - %{module} - %{level} - %{raw_tail}'
      field: "message"
      target_prefix: "mylog"
      ignore_missing: true
      overwrite_keys: true

  # 从 message 中提取 user_email
  - dissect:
      when:
        equals:
          log_type: influencer_5002.log
      tokenizer: '[user_email: %{user_email}] %{tail}'
      field: "mylog.raw_tail"
      target_prefix: "mylog"
      ignore_missing: true
      overwrite_keys: true

  # 提取 conversation_id
  - dissect:
      when:
        equals:
          log_type: influencer_5002.log
      tokenizer: '[conversation_id: %{conversation_id}] %{tail}'
      field: "mylog.tail"
      target_prefix: "mylog"
      ignore_missing: true
      overwrite_keys: true









#输出
output.elasticsearch:
  hosts: ["http://106.53.194.199:9200"]
  username: "admin"
  password: "123456"
  index: "out-148-flymoonlog-%{[environment]}-%{[application]}-%{+yyyy.MM}"  # 按月分割索引
  bulk_max_size: 50       # 单批次传输最大文档数
  worker: 1                # 并行工作线程数
  timeout: 15s



# 日志记录
logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat.log
  keepfiles: 7
  permissions: 0644



# 设置队列和内存使用
queue.mem:
  events: 1024
  flush.min_events: 512
  flush.timeout: 10s