k8sConfigs/efk_cluster/fileBeat-config.yaml

# filebeat-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: filebeat-config
  namespace: efk
data:
  filebeat.yml: |
    filebeat.inputs:
    - type: http_endpoint
      enabled: true
      listen_address: 0.0.0.0:8888
      path: "/"
      json.keys_under_root: true

    processors:
      # 提取路径中的变量（严格模式）
      - dissect:
          tokenizer: "/tanya.candle.%{currency}.%{year}.%{interval}"
          field: "http.request.path"
          target_prefix: ""
          ignore_missing: false  # 关键：关闭忽略缺失

      # 强制设置默认值（即使字段为空）
      - script:
          lang: javascript
          source: |
            function process(event) {
              // 先检查字段是否存在，不存在则设置默认值
              if (!event.containsKey('currency') || event.get('currency') === '') {
                event.put('currency', 'unknown');
              }
              if (!event.containsKey('year') || event.get('year') === '') {
                event.put('year', '0000');
              }
              if (!event.containsKey('interval') || event.get('interval') === '') {
                event.put('interval', '0D');
              }
            }

    output.elasticsearch:
      hosts: ["http://elasticsearch:9200"]
      username: "fluentd_user"
      password: "fluentd_password"
      indices:
        - index: "logstash-candle-${currency}-${year}-${interval}"
          # 严格验证字段值非空
          when.and:
            - not.equals:
                currency: ""
            - not.equals:
                year: ""
            - not.equals:
                interval: ""
        - index: "fallback-index"
          when.or:
            - equals:
                currency: ""
            - equals:
                year: ""
            - equals:
                interval: ""