一、配置自定义索引

yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /tmp/test.log
    - /tmp/*.txt
  tags: ["oldboyedu-linux80","容器运维","DBA运维","SRE运维工程师"]
  fields:
    school: "北京昌平区沙河镇"
    class: "linux80"

- type: log
  enabled: true
  paths:
    - /tmp/test/*/*.log
  tags: ["oldboyedu-python","云原生开发"]
  fields:
    name: "oldboy"
    hobby: "linux,抖音"
  fields_under_root: true

output.elasticsearch:
  enabled: true
  hosts: ["http://192.168.201.112:9200", "http://192.168.201.113:9200", "http://192.168.201.114:9200"]
  index: "mysongxuan-elk-%{+yyyy.MM.dd}"
  
# 禁用索引生命周期管理
setup.ilm.enabled: false
# 设置索引名字
setup.template.name: "mysongxuan-elk"
setup.template.pattern: "mysongxuan-elk*"

/var/lib/filebeat/ 存储Filebeat的注册表文件（registry），记录日志文件的采集状态（如offset、inode等） 删除该目录会‌重置采集状态‌，但不会直接影响模板加载

js
rm -rf /var/lib/filebeat/*

重新配置文件后启动，我的自定义索引模版就出来了

然后创建索引模式，就可以看到我自定义的索引模式了

二、根据不同的tags进行索引查询

yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /tmp/*.txt
  tags: ["songxuan","xuan"]
  fields:
    name: "松轩"
    class: "linux"

- type: log
  enabled: true
  paths:
    - /tmp/*.log
  tags: ["xiaoming","xiaoqiang"]
  fields:
    name: "小明"
    hobby: "python"
  fields_under_root: true

output.elasticsearch:
  enabled: true
  hosts: ["http://192.168.201.112:9200", "http://192.168.201.113:9200", "http://192.168.201.114:9200"]
  index: "mysongxuan-elk-%{+yyyy.MM.dd}"
  indices:
    - index: "mysongxuan-elk-%{+yyyy.MM.dd}"
      when.contains:
        tags: "songxuan"
    - index: "mysongxuan-python-%{+yyyy.MM.dd}"
      when.contains:
        tags: "xiaoming"

# 禁用索引生命周期管理
setup.ilm.enabled: false
# 设置索引模板
setup.template.name: "mysongxuan-elk"
setup.template.pattern: "mysongxuan-elk*"

删除后启动

js
rm -rf /var/lib/filebeat/*

js
filebeat -e -c /etc/filebeat/filebeat.yml

重新查看后有就出现两条索引了，

最后去索引模式创建索引

然后查看标签是songxuan的只有对应文本的数据