本文介绍了我可以通过elasticsearch-template.json设置logstash默认的弹性搜索映射的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我使用logstash + elasticsearch收集syslog,并希望设置ttl进行日志老化



我在logstash中找到一个名为elasticsearch-template.json的文件,路径是logstash / logstash-1.4.2 / lib / logstash / outputs / elasticsearch / elasticsearch-template.json



我在文件中添加ttl信息,如下所示:

  {
template:logstash- *,
settings:{
index.refresh_interval:5s
},
mappings:{
_default_:{
_all:{enabled:true},
dynamic_templates:[{
string_fields:{
match:*,
match_mapping_type:string,
mapping
type:string,index:analyze,omit_norms:true,
fields:{
raw:{type ,index:not_analyzed,ignore_above:256}
}
}
}
} $,
_ttl:{
enabled:true,
default:1d
},
properties $ b@version:{type:string,index:not_analyzed},
geoip:{
type:object,
dynamic:true,
path:full,
properties:{
location:{type:geo_point}
}
}
}
}
}
}

然后重新启动logstash,删除所有弹性搜索索引。
我在弹性搜索中检查新索引的映射,但它没有以这种方式工作。



如何配置索引模板?

解决方案

您需要更改logstash配置。



遵循默认设置,logstash已经在名为 logstash 的elasticsearch中创建了一个模板,logstash将继续使用存储在elasticsearch中的模板,除非您明确指出。 p>

修改您发现的模板文件,但除此之外,在您的logstash配置中,设置以下内容:

  output {
elasticsearch {
...
template_overwrite =>真
...
}
}


I use logstash + elasticsearch to collect syslog and want to set ttl for log ageing

I find a file named elasticsearch-template.json in the logstash,the path is logstash/logstash-1.4.2/lib/logstash/outputs/elasticsearch/elasticsearch-template.json

I add ttl info in the file like this:

{
  "template" : "logstash-*",
  "settings" : {
    "index.refresh_interval" : "5s"
  },
  "mappings" : {
    "_default_" : {
       "_all" : {"enabled" : true},
       "dynamic_templates" : [ {
         "string_fields" : {
           "match" : "*",
           "match_mapping_type" : "string",
           "mapping" : {
             "type" : "string", "index" : "analyzed", "omit_norms" : true,
               "fields" : {
                 "raw" : {"type": "string", "index" : "not_analyzed", "ignore_above" : 256}
               }
           }
         }
       } ],
        "_ttl": {
         "enabled": true,
         "default": "1d"
       },
       "properties" : {
         "@version": { "type": "string", "index": "not_analyzed" },
         "geoip"  : {
           "type" : "object",
             "dynamic": true,
             "path": "full",
             "properties" : {
               "location" : { "type" : "geo_point" }
             }
         }
       }
    }
  }
}

then restart logstash, delete all elasticsearch index. I check the new index's mapping in the elasticsearch, but it didn't work in this way.

How can I config the index template?

解决方案

you need to change your logstash configuration.

if you have followed the default settings, logstash has already created a template inside elasticsearch named logstash, logstash will keep on using that template stored in elasticsearch unless you tell it not to explicitly.

modify that template file you found but in addition to that, in your logstash configuration, set the following:

output {
  elasticsearch {
    ...
    template_overwrite => true
    ...
  }
}

这篇关于我可以通过elasticsearch-template.json设置logstash默认的弹性搜索映射的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-24 01:40