堆栈内存溢出
  简体   繁体   English

集中式日志服务器/创建类似logstash- *的索引

[英]Centralized logging server/Create a logstash-* like index

 原文  2015-07-27 18:06:38       elasticsearch/ logstash/ kibana/ kibana-4

问题描述

I am trying to configure ELK to take logs form two different applications. 我正在尝试配置ELK以采用来自两个不同应用程序的日志。 To my understanding, the Elasticsearch index is analogous to a to a database. 据我了解,Elasticsearch索引类似于数据库。 So my question is: 所以我的问题是:

Is it advisable to configure separate indices for different applications and Why? What are the pros and cons from it being used as/for a centralized logging system?

The ES has an inbuilt functionality with the default logstash-* index that it creates an index on a daily basis depending on the timestamp that it receives from the logs. ES具有内置功能,带有默认的logstash- *索引,它每天根据从日志接收的时间戳创建索引。 Now how do I create an index for my app so that it is named different, say App1-* that behaves exactly as the logstash-* index ie is gets created on a daily basis from the timestamp? 现在如何为我的应用程序创建一个索引,以使其命名不同,例如App1-*行为与logstash-*索引完全相同,即每天从时间戳创建索引?

I checked the ES documentation on index APIs but couldn't find sufficient information for this for a custom index. 我检查了有关索引API的ES文档,但找不到针对此索引的足够信息。 Any pointers in this? 有任何指针吗?

1 个解决方案

解决方案1
 1 已采纳  2015-07-27 19:22:07

The major con for me in using multiple indices is that each one (and the underlying shards) chews up HEAP, which limits the number of indexes you can have open at one time. 对于我来说,使用多个索引的主要缺点是每个索引(及其下层碎片)都会消耗HEAP,这限制了您一次可以打开的索引数量。 If you combine the data into one index, it will take less memory to keep the data available. 如果将数据合并到一个索引中,将需要较少的内存来保持数据可用。

As for the daily indices, elasticsearch will create any index when asked to do so. 至于每日索引,elasticsearch将在需要时创建任何索引。 Logstash, in the elasticsearch{} output, allows you to specify the name of the index, which can contain static ("logstash-") and dynamic elements (date, fields from the event, etc). 在elasticsearch {}输出中,Logstash允许您指定索引的名称,其中可以包含静态(“ logstash-”)和动态元素(日期,事件中的字段等)。

Be aware that there is a mapping template that is applied to the "logstash-*" indices. 请注意,有一个映射模板已应用于“ logstash- *”索引。 If you need any of that functionality, you'll need to handle it yourself. 如果需要任何功能,则需要自己处理。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Logstash 索引错误:[logstash-*] IndexNotFoundException[没有这样的索引] - Logstash Index error : [logstash-*] IndexNotFoundException[no such index] Logstash-Windows 7 - Logstash- Windows 7 logstash作为代理进行解析并发送到集中式logstash服务器 - logstash as agent to parse and send to centralized logstash server logstash-> kafka-> logstash-> elasticsearch删除一些日志 - logstash->kafka->logstash->elasticsearch dropping some logs 是“ logstash-”是kibana中索引的必需前缀吗? - Is “logstash-” a mandatory prefix of indices in kibana? logstash不创建索引 - logstash does not create index 在logstash中创建季度索引 - create quarterly index in logstash 集中式ELK与集中式EK +多个Logstash - Centralized ELK vs Centralized EK + Multiple Logstash logstash无法在ES中创建索引 - logstash fails to create an index in ES Logstash 无法在 ElasticSearch 中创建索引 - Logstash cannot create index in ElasticSearch
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM