Elasticsearch查询性能(如果有多个字段还是只有一个字段)?
[英]Elasticsearch query performance if there are multiple fields vs having a single field?
问题描述
I am working on the project that involves searching different pattern in Remedy log files. 
我正在从事涉及在Remedy日志文件中搜索不同模式的项目。 Is it advantageous to have logstash break the message field into multiple fields JSON document or manually create a JSON document of only one field and fed it elasticsearch.As far as I know elasticsearch does preety well in the manual generated JSON document with only one field.So do I have to really use logstash in these application Logstash将消息字段分为多个字段JSON文档或手动创建仅一个字段的JSON文档并将其提供给Elasticsearch是有利的。据我所知,elasticsearch在手动生成的仅包含一个字段的JSON文档中表现出色。所以我必须在这些应用程序中真正使用logstash吗
1 个解决方案
解决方案1
1 2015-09-01 14:18:35
By placing everything into a single field you will limit yourself to only search functionality of elasticsearch. 通过将所有内容放在一个字段中,您将只能使用弹性搜索的搜索功能。 While elasticsearch is quite powerful search engine, it doesn't make much sense to me to restrict yourself to just search. 尽管Elasticsearch是一个功能强大的搜索引擎,但对我而言,将自己限制为仅搜索并没有多大意义。 By splitting your data into fields you will be able to unlock the full analytics power of elasticsearch and use, for example, Kibana to visualize your data. 通过将数据划分为多个字段,您将能够释放elasticsearch的全部分析功能,并使用例如Kibana可视化您的数据。 Just to give you an example, by simply extracting a timestamp field, you will be able to not only search for certain events but also draw a histogram of how this events were distributed in time. 仅举一个例子,只需提取一个时间戳字段,您将不仅可以搜索某些事件,还可以绘制该事件如何及时分布的直方图。 By extracting severity of the event and source, you will be able to see which sources are causing most of the issues and so on. 通过提取事件和源的严重性,您将能够查看导致大多数问题的源,等等。 I think it is well worth the effort in a longer term. 我认为长期而言这是值得的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.