我搭建的日志分析系統(tǒng)�����,用filebeat作為輸入直接輸入到es中����,中間沒有l(wèi)ogstash。發(fā)現(xiàn)有個(gè)問題���,監(jiān)聽的某個(gè)文件只要有修改就會(huì)把該文件所有數(shù)據(jù)輸入到es中����,早晨會(huì)有數(shù)據(jù)重復(fù)�����。請(qǐng)問這個(gè)問題怎么解決�。我的filebeat配置文件如下:
filebeat.prospectors:
- type: log
enabled: true
json.keys_under_root: true
json.overwrite_keys: true
json.message_key: log
tail_files: true
harvester_buffer_size: 16384
backoff: "1s"
document_type: "car"
paths:
- /usr/local/elasticsearch/logs/*.log
#============================= Filebeat modules ===============================
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
#==================== Elasticsearch template setting ==========================
setup.template.pattern: "filebeat-%{[beat.version]}-*"
setup.template.name: "filebeat-%{[beat.version]}"
setup.template.settings:
index.number_of_shards: 3
output.elasticsearch:
hosts: ["192.168.220.111:9200"]
index: "filebeat-car-%{+yyyy.MM.dd}"
processors:
- decode_json_fields:
fields: ["message"]
process_array: false
max_depth: 1
target: ""
overwrite_keys: false
json.keys_under_root: true
json.overwrite_keys: true
還望大神解答!
