ELK Stack-Elasticsearch索引创建(logstash)
[英]ELK Stack - Elasticsearch index creation (logstash)
问题描述
I'm experimenting with ELK to analyze our log files. 
我正在尝试ELK分析我们的日志文件。 Following the available documentation, managed to set up the stack in my pc. 按照可用的文档,设法在我的电脑上设置堆栈。 Now I'm facing an issue with the elastic search index creation. 现在,我面临着弹性搜索索引创建的问题。 Previously I was using filebeat -> logstash -> elasticsearch -> kibana combination and using the following logstash.conf file was able to send data to elasticsearch 以前我使用filebeat-> logstash-> elasticsearch-> kibana组合,并且使用以下logstash.conf文件能够将数据发送到elasticsearch
input {
beats {
port => 5044
type => "log"
}
}
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
And the index in elastic search was evaluated to 并将弹性搜索中的索引评估为
"filebeat-*"
from the expression 从表达
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
Now I changed the logstash.conf to based on my actual logfile 现在我根据实际的日志文件将logstash.conf更改为
input {
file
{
path => "C:\logs\application.log"
start_position => "beginning"
codec =>
multiline {
charset => "ISO-8859-1"
pattern => "^%{TIMESTAMP_ISO8601}"
max_lines => 1000
negate => true
what => "previous"
}
}
}
filter {
mutate {
gsub => [ "message", "\r", "" ]
}
grok {
patterns_dir => "./patterns"
match => {"message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL1:loglevel} %{THREAD:thread} %{IP5:remoteipaddress} %{JAVA:logclass} %{GREEDYDATA:details}"}
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
remove_field => [ "timestamp" ]
}
}
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
file {
path => "C:\logs\output.txt"
}
}
In this case, logstash is happy with the conf file, but the index I suggested for elastic search is not being evaluated properly. 在这种情况下,logstash对conf文件感到满意,但是我为弹性搜索建议的索引未得到正确评估。
If I inspect elastic search using the head plugin, 如果我使用头插件检查弹性搜索,
http://localhost:9200/_plugin/head/
The index appears as 索引显示为
%{[@metadata][beat]}-
I'm not sure why the index expression is not being evaluated now. 我不确定为什么现在不评估索引表达式。 Any pointers to solve this issue would be helpful. 解决此问题的任何指示都将有所帮助。
Thanks in advance, San 预先感谢,圣
2 个解决方案
解决方案1
1 已采纳 2016-03-01 21:09:45
Certain logstash plugins utilise metadata to transfer fields you don't want to store in the document. 某些logstash插件利用元数据来传输您不想存储在文档中的字段。 In your first example, the beats input is setting certain metadata that's used later in the elasticsearch output to set the index and type. 在第一个示例中,beats输入是设置某些元数据,稍后在elasticsearch输出中使用该元数据来设置索引和类型。 As the file input doesn't set these metadata fields, logstash will output the variable name instead of a blank string, hence why it sets an index of "%{[@metadata][beat]}-2016.04.05", the date is known, but the metadata field beat is not. 由于文件输入未设置这些元数据字段,logstash将输出变量名称而不是空白字符串,因此为什么它设置索引“%{[@@ metadata] [beat]}-2016.04.05”(日期)已知,但元数据字段拍不知道。
If you just leave the elasticsearch output as it's defaults it should work fine: 如果仅将elasticsearch输出保留为默认设置,则应该可以正常工作:
elasticsearch { hosts => "localhost:9200" }
If you leave manage_template as false, it'll also not apply the logstash- template and the field mappings may be a bit off, so I'd recommend leaving that as the default (true) again. 如果将logstash-保留为false,则也不会应用logstash- template,并且字段映射可能会有些偏离,因此我建议再次将其保留为默认值(true)。
解决方案2
1 2016-03-01 21:10:20
Since you know what the index should be called, just put it in the elasticsearch outoput: 由于您知道应该调用什么索引,因此只需将其放在elasticsearch输出中即可:
Since you know what the index should be called, just put it in the `elasticsearch` output:
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "filebeat-%{+YYYY.MM.dd}"
document_type => "whatever_type_filebeat_put_in"
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.