我写了一个logstash conf文件来读取日志。如果使用默认索引,即logstash- *,则可以在kibana中看到.raw字段。但是,如果我在logstash中的conf文件中创建新索引,例如
output{
elasticsearch {
hosts => "localhost"
index => "batchjob-*"}
}
然后,新索引无法配置.raw字段。有解决问题的解决方法吗?十分感谢。
最佳答案
原始字段由Logstash elasticsearch输出在Elasticsearch中创建的specific index template创建。
您只需将模板复制到名为batchjob.json的文件中,然后将模板名称更改为batchjob-*(请参见下文)
{
"template" : "batchjob-*",
"settings" : {
"index.refresh_interval" : "5s"
},
"mappings" : {
"_default_" : {
"_all" : {"enabled" : true, "omit_norms" : true},
"dynamic_templates" : [ {
"message_field" : {
"match" : "message",
"match_mapping_type" : "string",
"mapping" : {
"type" : "string", "index" : "analyzed", "omit_norms" : true,
"fielddata" : { "format" : "disabled" }
}
}
}, {
"string_fields" : {
"match" : "*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "string", "index" : "analyzed", "omit_norms" : true,
"fielddata" : { "format" : "disabled" },
"fields" : {
"raw" : {"type": "string", "index" : "not_analyzed", "ignore_above" : 256}
}
}
}
} ],
"properties" : {
"@timestamp": { "type": "date" },
"@version": { "type": "string", "index": "not_analyzed" },
"geoip" : {
"dynamic": true,
"properties" : {
"ip": { "type": "ip" },
"location" : { "type" : "geo_point" },
"latitude" : { "type" : "float" },
"longitude" : { "type" : "float" }
}
}
}
}
}
}
然后,您可以像这样修改
elasticsearch输出:output {
elasticsearch {
hosts => "localhost"
index => "batchjob-*"
template_name => "batchjob"
template => "/path/to/batchjob.json"
}
}
关于elasticsearch - 创建索引时出现Logstash问题,删除kibana中的.raw字段,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/37653522/