curl -H "Content-Type: application/json" -X PUT http://127.0.0.1:9200/_ingest/pipeline/nginx-access -d ' { "description" : "nginx-access", "processors" : [ { "grok" : { "field" : "message", "patterns" : [ "^%{DATA:nginx.access.remote_ip} - \\[%{HTTPDATE:nginx.access.time}\\] \"%{WORD:nginx.access.method} %{DATA:nginx.access.url}\" \"%{DATA:nginx.access.args}\" \"%{DATA:nginx.access.request_body}\" %{NUMBER:nginx.access.response_code} %{NUMBER:nginx.access.body_sent.bytes} \"%{DATA:nginx.access.referrer}\" \"%{DATA:nginx.access.agent}\" \"%{DATA:nginx.access.x_forward_for}\"" ], "ignore_missing" : true, "ignore_failure" : true } }, { "geoip" : { "field" : "nginx.access.remote_ip", "target_field" : "nginx.access.geoip", "ignore_missing" : true, "ignore_failure" : true } }, { "rename" : { "field" : "@timestamp", "target_field" : "read_timestamp" } }, { "date" : { "formats" : [ "dd/MMM/YYYY:H:m:s Z" ], "timezone" : "Asia/Shanghai", "field" : "nginx.access.time", "target_field" : "@timestamp", "ignore_failure" : true } }, { "grok" : { "field" : "nginx.access.agent", "patterns" : [ "%{ANDROID:nginx.access.os}", "%{LINUX:nginx.access.os}", "%{IOS:nginx.access.os}", "%{MACOSX:nginx.access.os}", "%{WINDOWS:nginx.access.os}", "%{DARWIN:nginx.access.os}", "%{SOGOU:nginx.access.os}", "%{BINGBOT:nginx.access.os}", "%{OFFICE:nginx.access.os}" ], "pattern_definitions" : { "ANDROID" : "Android *[0-9]*", "LINUX" : "Linux (x86_64|i386|i686)", "IOS" : "OS [0-9]+", "MACOSX" : "Mac OS X [0-9]+", "WINDOWS" : "Windows NT [0-9.]+", "DARWIN" : "Darwin", "SOGOU" : "Sogou web spider", "BINGBOT" : "bingbot", "OFFICE" : "Microsoft Office [^ ]*" }, "ignore_missing" : true, "ignore_failure" : true } }, { "remove" : { "field" : "nginx.access.time", "ignore_failure" : true } }, { "remove" : { "field" : "message" } } ] }'