1. Query all records from Elasticsearch
curl -XGET "http://localhost:9200/logstash-*/_search?size=50&pretty"
http://stackoverflow.com/a/38874465/2177408
2. Run logstash
- /opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf
3. Linux 命令(netstat,ps,kill)
- On Linux (Ubuntu derivatives at least)
- killall node
- is easier than this form.
- ps | grep <something>
- kill <somepid>
- Neither will work if you have a orphaned child holding the port. Instead,do this:
- netstat -punta | grep <port>
- If the port is being held you'll see something like this:
- tcp 0 0.0.0.0:<port> 0.0.0.* LISTEN <pid>/<parent>
- Now kill by pid:
- kill -9 <pid>
http://stackoverflow.com/a/22875192/2177408
4. Delete all data of an index in elasticsearch
http://stackoverflow.com/a/22932471/2177408
- curl -XDELETE localhost:9200/index/type/documentID
5. Match IPV4 and IPV6 in COMBINEDAPACHELOGS
http://stackoverflow.com/a/40084695/2177408
- %{IPV6:ipv6}:%{IPV4:ipv4}
6. Multiple matches in grok in logstash
- input {
- stdin{}
- }
- filter {
- grok {
- break_on_match => false
- match => [ "message","%{WORD:word1}" ]
- match => [ "message","%{WORD:word2}" ]
- match => [ "message","%{WORD:word3}" ]
- }
- }
- output {
- stdout { codec => rubydebug }
- }
7. Regex for COMBINEDAPACHELOGS
http://stackoverflow.com/a/22380896/2177408
- grok {
- match => [ "message","%{IP:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:apache_timestamp}\] \"%{WORD:method} /%{NOTSPACE:request_page} HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response} " ]
- }
8. After updating logstash.conf
- rm .sincedb*
- curl -XDELETE localhost:9200/logstash-*
- sudo /etc/init.d/logstash stop
- sudo /etc/init.d/logstash start
