logstash读取数据存储到es并同步到kibana的配置文件，重启logstash，支持同一个文件多次读取。

分析的文件

2021-03-19 16:40:48 ###################--CPU--cpu cores: 1us=2sy=0id=97wa=0st=0CPU_RATE:0.83%2021-03-19 16:41:53 ###################--CPU--cpu cores: 1us=2sy=0id=97wa=0st=0CPU_RATE:0.73%

logstash.conf文件

input { file { type => "system" path => "/home/system/*.log" start_position => "beginning"sincedb_path => "/dev/null"mode => readfile_completed_action => delete codec => multiline { pattern => "^d*[./-]d*[./-]d* d*:d*:d* ###################" negate => true what => "previous" } } }filter { if [type] == "system"{ grok { match => { "message" => '(? (d*[./-]d*[./-]d* d*:d*:d*)) %{NOTSPACE}%{SPACE}--%{WORD:name}--%{SPACE}%{WORD} %{WORD}%{SPACE}%{NOTSPACE} %{INT:cpuCores}%{SPACE}%{WORD}=%{WORD:us}%{SPACE}%{WORD}=%{WORD:sy}%{SPACE}%{WORD}=%{WORD:id}%{SPACE}%{WORD}=%{WORD:wa}%{SPACE}%{WORD}=%{WORD:st}%{SPACE}%{WORD}:%{NOTSPACE:CPU_RATE}' } }date { match => ["timestamp", "yyyy-MM-dd HH:mm:ss"] } }}output { if [type] == "system"{ elasticsearch { hosts => ["http://*.*.*.*:9200"] index => "system" } }}

推荐阅读
logstash设置从文件读取的重要参数说明及如何强置重新读取