#輸入  
input {  
 file {  
        path => ["文件路徑"]  
#自定義類型  
        type => "自定義"  
       start_position => "beginning"  
    }  
}  
  
#過濾器  
filter{  
#去除換行符  
mutate{  
gsub => [ "message", "\r", "" ]     
}  
  
#逗號分割  
mutate {    
  split => ["message",","]       
}  
  
#分割后，字段命名與賦值  
mutate{  
                add_field =>   {  
                                        "id" => "%{[message][0]}"  
                                        "mydate" => "%{[message][1]}"  
                                        "user" => "%{[message][2]}"  
                                        "pc" => "%{[message][3]}"  
                                        "to_user" => "%{[message][4]}"  
"cc" => "%{[message][5]}"  
"bcc" => "%{[message][6]}"  
"from_user" => "%{[message][7]}"  
                                        "size" => "%{[message][8]}"  
"attachments" => "%{[message][9]}"  
"content" => "%{[message][10]}"  
                     }   
               }  
  
#字段里的日期識別，以及時(shí)區(qū)轉(zhuǎn)換，生成date  
      date {  
            match => [ "mydate", "MM/dd/yyyy HH:mm:ss" ]  
                       target => "date"  
  locale => "en"  
  timezone => "+00:00"    
      }  
  
#刪除無用字段  
mutate {    
  remove_field => "message"      
  remove_field => "mydate"      
  remove_field => "@version"      
  remove_field => "host"      
  remove_field => "path"      
}  
#將兩個字段轉(zhuǎn)換為整型  
mutate{  
convert => { "size" => "integer" }  
convert => { "attachments" => "integer" }  
}  
}  
  
#輸出，輸出目標(biāo)為es  
output {  
    #stdout { codec => rubydebug }  
elasticsearch {  
    #目標(biāo)主機(jī)  
            host => ["目標(biāo)主機(jī)1","目標(biāo)主機(jī)2"]  
    #協(xié)議類型  
            protocol => "http"  
    #索引名  
            index =>"自定義"  
        }    
}