1. 首頁
  2. 問答
  3. 如何在logstash中使用_timestamp elasticsearch

如何在logstash中使用_timestamp elasticsearch

2014-03-26 69 views
1

我想弄清楚如何將_timestamp與logstash一起使用。如何在logstash中使用_timestamp elasticsearch

我試圖添加到映射:

"_timestamp" : { 
     "enabled" : true, 
     "path" : "@timestamp" 
    },

但是,這並沒有預期的效果。我這樣做的elasticsearch-template.json文件(我試過有和沒有"store"=true):

{ 
    "template" : "logstash-*", 
    "settings" : { 
    "index.refresh_interval" : "5s" 
    }, 
    "mappings" : { 
    "_default_" : { 
     "_timestamp" : { 
      "enabled" : true, 
      "store" : true, 
      "path" : "@timestamp" 
     }, 

     "_all" : {"enabled" : true}, 
     "dynamic_templates" : [ { 
    .....

我加入修改後的文件輸出濾波器

output { 
    elasticsearch_http { 
    template => '/tmp/elasticsearch-template.json' 
    host => '127.0.0.1' 
    port=>9200 
    } 
}

爲了確保數據庫是乾淨的我反覆做:

curl -XDELETE http://localhost:9200/logstash* 
curl -XDELETE http://localhost:9200/_template/logstash 
rm ~/.sincedb_*

然後我嘗試導入我的日誌文件。但由於某些原因,_timestamp未設置。

的映射似乎是確定

{ 
    "logstash-2014.03.24" : { 
    "_default_" : { 
     "dynamic_templates" : [ { 
     "string_fields" : { 
      "mapping" : { 
      "index" : "analyzed", 
      "omit_norms" : true, 
      "type" : "string", 
      "fields" : { 
       "raw" : { 
       "index" : "not_analyzed", 
       "ignore_above" : 256, 
       "type" : "string" 
       } 
      } 
      }, 
      "match" : "*", 
      "match_mapping_type" : "string" 
     } 
     } ], 
     "_timestamp" : { 
     "enabled" : true, 
     "store" : true, 
     "path" : "@timestamp" 
     }, 
     "properties" : { 
     "@version" : { 
      "type" : "string", 
      "index" : "not_analyzed", 
      "omit_norms" : true, 
      "index_options" : "docs" 
     }, 
     "geoip" : { 
      "dynamic" : "true", 
      "properties" : { 
      "location" : { 
       "type" : "geo_point" 
      } 
      } 
     } 
     } 
    }, 
    "logs" : { 
     "dynamic_templates" : [ { 
     "string_fields" : { 
      "mapping" : { 
      "index" : "analyzed", 
      "omit_norms" : true, 
      "type" : "string", 
      "fields" : { 
       "raw" : { 
       "index" : "not_analyzed", 
       "ignore_above" : 256, 
       "type" : "string" 
       } 
      } 
      }, 
      "match" : "*", 
      "match_mapping_type" : "string" 
     } 
     } ], 
     "_timestamp" : { 
     "enabled" : true, 
     "store" : true, 
     "path" : "@timestamp" 
     }, 
     "properties" : { 
     "@timestamp" : { 
      "type" : "date", 
      "format" : "dateOptionalTime" 
     },

在數據庫中的文件看起來像

{ 
    "_id": "Cps2Lq1nTIuj_VysOwwcWw", 
    "_index": "logstash-2014.03.25", 
    "_score": 1.0, 
    "_source": { 
     "@timestamp": "2014-03-25T00:47:09.703Z", 
     "@version": "1", 
     "created": "2014-03-25 01:47:09,703", 
     "host": "macbookpro.fritz.box", 
     "message": "2014-03-25 01:47:09,703 - Starting new HTTP connection (1): localhost", 
     "path": "/Users/scharf/git/ckann/annotator-store/logs/requests.log", 
     "text": "Starting new HTTP connection (1): localhost" 
    }, 
    "_type": "logs" 
    },

爲什麼是_timestamp沒有設置???

來源

2014-03-26 Michael_Scharf

回答

2

總之,它確實有效。

我測試您的具體方案,並在這裏是我的發現:

當使用啓用_source並在_source一些路徑指定_timestamp, 你永遠不會看到_timestamp作爲文檔的一部分,但如果不過,你例如:添加?fields查詢字符串部分,例如:

http://<localhost>:9200/es_test_logs/ESTest1/ilq4PU3tR9SeoLo794wZlg?fields=_timestamp 您將獲得正確的_timestamp值。

如果,而不是使用路徑,傳遞_timestamp外部(在_source文件中),你會看到_timestamp下的文件作爲正常的_source財產。

如果禁用_source領域,你不會看到任何財產在所有文件中,即使是那些你設置爲「store" : true。你只會看到他們指定?fields時,或構建返回這些字段的查詢時。

來源

2014-06-06 21:48:24 Roman

相關問題

 相關問題