如何使用if-else条件进行弹性搜索，根据输出部分中logstash conf中的名称过滤kafka主题

Question

我正在为Elkstack使用新版本的Kafka插件

input {
  kafka {
    bootstrap_servers => "1XX.X.X.X:9092"
    topics => ["test_all_logs","test_apiserver_logs","test_orchestrator_logs","test_credentialstore_logs","test_gfac_logs","local_api-orch_logs","__consumer_offsets,local_gfac_logs"]
    auto_offset_reset => "earliest"
    decorate_events => "true"
  }
}

filter{

json {
    source => "message"
    target => "doc"
  }
  mutate { add_field => { "level" => "%{[doc][level]}"}}
  mutate { add_field => { "logger" => "%{[doc][loggerName]}" } }
}

output {
  stdout { codec => rubydebug }
  elasticsearch {
    if [@metadata][kafka][topic]== "test_all_logs" {
        hosts => ["localhost:9200"]
        index => ["test-all-logs-%{+YYYY.MM.dd}"]
    }
    if [@metadata][kafka][topic] == "test_apiserver_logs" {
        hosts => ["localhost:9200"]
        index => ["test_apiserver_logs-%{+YYYY.MM.dd}"]
    }
    if [@metadata][kafka][topic] == "test_orchestrator_logs" {
        hosts => ["localhost:9200"]
        index => ["test_orchestrator_logs-%{+YYYY.MM.dd}"]
    }
    if [@metadata][kafka][topic] == "test_credentialstore_logs" {
        hosts => ["localhost:9200"]
        index => ["test_credentialstore_logs-%{+YYYY.MM.dd}"]
    }
    if [@metadata][kafka][topic} == "test_gfac_logs" {
        hosts => ["localhost:9200"]
        index => ["test_gfac_logs-%{+YYYY.MM.dd}"]
    }
  }
}

我正在跟踪许多没有正确答案的链接： 如何编写Logstash过滤器以过滤kafka主题

https://www.elastic.co/guide/zh-CN/logstash/current/plugins-inputs-kafka.html#plugins-inputs-kafka-decorate_events

我有个建议，我应该添加decorate_events => "true" 。 并添加了@metadata属性。

我执行了命令：

/opt/logstash/bin/logstash -f airavata/logstash-airavata.conf --path.data ./airavata/

但是我收到以下错误：

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 24, column 8 (byte 579) after output {\n  stdout { codec => rubydebug }\n\n  elasticsearch {\n    if ", 

:backtrace=>["/opt/logstash/logstash-core/lib/logstash/compiler.rb:42:in `compile_ast'", "/opt/logstash/logstash-core/lib/logstash/compiler.rb:50:in `compile_imperative'", "/opt/logstash/logstash-core/lib/logstash/compiler.rb:54:in `compile_graph'", "/opt/logstash/logstash-core/lib/logstash/compiler.rb:12:in `block in compile_sources'", "org/jruby/RubyArray.java:2486:in `map'", "/opt/logstash/logstash-core/lib/logstash/compiler.rb:11:in `compile_sources'", "/opt/logstash/logstash-core/lib/logstash/pipeline.rb:107:in `compile_lir'", "/opt/logstash/logstash-core/lib/logstash/pipeline.rb:49:in `initialize'", "/opt/logstash/logstash-core/lib/logstash/pipeline.rb:215:in `initialize'", "/opt/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:35:in `execute'", "/opt/logstash/logstash-core/lib/logstash/agent.rb:335:in `block in converge_state'", "/opt/logstash/logstash-core/lib/logstash/agent.rb:141:in `with_pipelines'", "/opt/logstash/logstash-core/lib/logstash/agent.rb:332:in `block in converge_state'", "org/jruby/RubyArray.java:1734:in `each'", "/opt/logstash/logstash-core/lib/logstash/agent.rb:319:in `converge_state'", "/opt/logstash/logstash-core/lib/logstash/agent.rb:166:in `block in converge_state_and_update'", "/opt/logstash/logstash-core/lib/logstash/agent.rb:141:in `with_pipelines'", "/opt/logstash/logstash-core/lib/logstash/agent.rb:164:in `converge_state_and_update'", "/opt/logstash/logstash-core/lib/logstash/agent.rb:90:in `execute'", "/opt/logstash/logstash-core/lib/logstash/runner.rb:362:in `block in execute'", "/opt/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:24:in `block in initialize'"]}

有人可以用正确的语法而不是未经煮过的语法帮助我犯错吗？

Answer 1

是的，您绝对需要将decorate_events属性设置为true。 这是一个布尔值，因此您无需将其用引号引起来。 只需将此行添加到您的Kafka输入部分：

decorate_events => true

ElasticSearch输出插件中不允许使用条件语句。 相反，将您的整个elasticsearch块包装为：

if [@metadata][kafka][topic] == "topicA" {
    elasticsearch {
        index => "indexA"
        ...
    }      
} else {
    elasticsearch {
       index => "indexB"
       ...
    }         
}