1，解压包

tar -xf filebeat-7.15.2-linux-x86_64.tar.gz

2,编辑 filebeat.yml

filebeat.inputs:

- type: filestream

  enabled: true

  paths:

    - /export/Instances/shipment.wms5-c.jd.local-merge/server1/logs/check/*.log

    - /export/Instances/shipment.wms5-c.jd.local-merge/server1/logs/httplog/*.log

output.elasticsearch:

  hosts: ["11.51.192.190:9200"]

  index: "shipment-%{+yyyy.MM.dd}"

setup.template.name: "shipment"

setup.template.pattern: "shipment-*"

setup.ilm.enabled: false

3,后台启动：

nohup ./filebeat -e -c filebeat.yml >/dev/null 2>&1 &

4，启动报错：

no modules or inputs enabled and configuration reloading disabled. What files do you want me to watch?

自己遇到的情况是vim编辑复制时，input粘贴过去拼写错误

Exiting: setup.template.name and setup.template.pattern have to be set if index name is modified

必须要同时配置setup.template.name 和setup.template.pattern，但是，我配置了这两项怎么还是不行呢，还是同样的错误，重点来了：这两项的配置必须要顶格配置，不可以和index对齐写到一个缩进级别！这个是很容易写错的，大家注意！

自定义index启动异常：Template "filebeat-7.15.2" already exists and will not be overwritten.

https://iminto.github.io/post/filebeat%E4%BF%AE%E6%94%B9index%E7%9A%84%E4%B8%80%E4%B8%AA%E5%9D%91/

启动后自动退出问题

https://blog.csdn.net/doublebaidu/article/details/120880257

kibana问题

https://www.cnblogs.com/cxygg/p/9471025.html

https://blog.csdn.net/wang909125961/article/details/87873369

https://blog.csdn.net/weixin_42715225/article/details/115184069

删除索引：

https://www.sarulabs.com/post/5/2019-08-12/sending-docker-logs-to-elasticsearch-and-kibana-with-filebeat.html

https://help.aliyun.com/document_detail/107289.html

https://www.elastic.co/guide/en/elasticsearch/client/curator/current/index.html

https://www.xiaocaicai.com/2021/01/%E4%BD%BF%E7%94%A8curator%E5%AE%9A%E6%9C%9F%E6%B8%85%E7%90%86elasticsearch%E6%95%B0%E6%8D%AE/