1
我總牛逼的ELK棧和可能是試圖建立一個更復雜的配置下手... :-)Logstash not_analyzed
我運行的整個堆棧上的Windows 7的筆記本電腦。並且我導入了一個很順利的CSV文件,但是我不能分析這個字符串字段,這個字段給了我在kibana可視化文件中的破解文本。
最後一次嘗試是使用模板。
模板和conf文件都位於c:\ logstash-1.5.0 \ bin目錄中。
這是conf文件:
input {
file {
path => "C:\Users\jeroen\Documents\temp\CSV\ElasticSearch_Input_vc.csv"
type => "core2"
start_position => "beginning" }
}
filter {
csv {
columns => ["snapshot_date_time","Country","Tower","Service","Division","USD Group","Ref Nr","Processtype","Importance","Priority","Severity","Status and Reason","Category","Is_Valid_Category","Summary","Open Date Time","Closed Date Time","Opened By","Last Modified","Resolve Completed Date Time","Hrs_Assigned_To_Completed","First Assign Date Time","Hrs_New_To_Assign","Customer Organization","Requested By","Assignee","Active Flag","In Out SLA Resolution 1"]
separator => ";"
}
date
{ match => [ "snapshot_date_time", "yyyy-MM-dd HH:mm:ss" ] }
mutate {
convert => { "Hrs_Assigned_To_Completed" => "float" }
convert => { "Hrs_New_To_Assign" => "float" }
}
}
output {
elasticsearch {
action => "index"
host => "localhost"
index => "qdb-%{+YYYY.MM.dd}"
workers => 1
template => "template.json"
}
#stdout {
#codec => rubydebug
#}
}
這是模板(其中老實說,我剛從另一個話題複製,改變了「模板名稱」),我在懷疑什麼用7號做行這可能是特異於發端使用的數據...
#template.json:
{
"template": "qdb-%{+YYYY.MM.dd}",
"settings" : {
"number_of_shards" : 1,
"number_of_replicas" : 0,
"index" : {"query" : { "default_field" : "userid" }
}
},
"mappings": {
"_default_": {
"_all": { "enabled": false },
"_source": { "compress": true },
"dynamic_templates": [
{
"string_template" : {
"match" : "*",
"mapping": { "type": "string", "index": "not_analyzed" },
"match_mapping_type" : "string"
}
}
],
"properties" : {
"date" : { "type" : "date", "format": "yyyy-MM-dd HH:mm:ss"},
"device" : { "type" : "string", "fields": {"raw": {"type": "string","index":
"not_analyzed"}}},
"distance" : { "type" : "integer"}
}
}
}
任何幫助/提示/提示是讚賞!