堆栈内存溢出
  简体   繁体   English

NGINX自定义日志的弹性搜索索引模板

[英]Elastic Search Index template for NGINX custom log

 原文  2016-06-30 09:15:25       templates/ nginx/ elasticsearch

问题描述

I have the following log from NGINX: 我有NGINX的以下日志:

111.111.111.111, 11.11.11.11 - 11.11.11.11 [06/May/2016:08:26:10 +0000] "POST /some-service/GetSomething HTTP/1.1" 499 0 "-" "Jakarta Commons-HttpClient/3.1" "7979798797979799" 59.370 - "{\\x0A\\x22correlationId\\x22 : \\x22TestCorr1\\x22\\x0A}" 111.111.111.111、11.11.11.11-11.11.11.11 [06 / May / 2016:08:26:10 +0000]“ POST / some-service / GetSomething HTTP / 1.1” 499 0“-”“ Jakarta Commons-HttpClient / 3.1 “” 7979798797979799“ 59.370- ” {\\ x0A \\ x22correlationId \\ x22:\\ x22TestCorr1 \\ x22 \\ x0A}

Logstash will be like this: Logstash将如下所示: 

input { stdin {} }
output { stdout { codec => "rubydebug" } }

filter {
   grok {
 match => { "message" => "%{COMBINEDAPACHELOG} %{QS:partner_id} %{NUMBER:req_time} %{GREEDYDATA:extra_fields}" }
 add_field => [ "received_at", "%{@timestamp}" ]
 add_field => [ "received_from", "%{host}" ]
  }


mutate {
 gsub => ["extra_fields", "\"","",
      "extra_fields", "\\x0A","",
      "extra_fields", "\\x22",'\"',
      "extra_fields", "(\\)",""
  ]
}

json {
  source => "extra_fields"
  target => "extra_fields_json"
}


mutate {
  add_field => {
    "correlationId" => "%{[extra_fields_json][correlationId]}"
  }
}

} }

The problem is req_time is string, so I need to convert to float using the following template: 问题是req_time是字符串,因此我需要使用以下模板转换为float: 

{
  "template" : "filebeat*",
 "settings" : {
   "index.refresh_interval" : "5s"
 },

 "mappings" : {
  "properties" : {
    "@timestamp": { "type": "date" },
    "partner_id": { "type": "string", "index": "not_analyzed" },
    "@version": { "type": "string", "index": "not_analyzed" },
    "req_time" : { "type" : "float", "index" : "not_analyzed" }, 
    "res_time" : { "type" : "string", "index" : "not_analyzed" },
    "purchaseTime" : { "type" : "date", "index" : "not_analyzed" },
    "received_at" : { "type" : "date", "index" : "not_analyzed" },
    "itemPrice" : { "type" : "double", "index" : "not_analyzed" },
    "total" : { "type" : "integer", "index" : "not_analyzed" },
    "bytes" : { "type" : "double", "index" : "not_analyzed" }
  }
   }
 }

}

Verified using: curl -XGET ' http://localhost:9200/filebeat-2016.06.30/_mapping/field/req_time ' 验证使用:curl -XGET'http :// localhost:9200 / filebeat-2016.06.30 / _mapping / field / req_time '

I am getting: 我正进入(状态:

{"filebeat-2016.06.30":{"mappings":{"nginxlog":{"req_time": {"full_name":"req_time","mapping":{ "req_time":{"type":"string"} }}}}}} {“ filebeat-2016.06.30”:{“ mappings”:{“ nginxlog”:{“ req_time”:{“ full_name”:“ req_time”,“ mapping”:{ “ req_time”:{“ type”:“ string” } }}}}}}

so my template definitely does not work. 所以我的模板肯定不起作用。 Anyone can help? 有人可以帮忙吗?

1 个解决方案

解决方案1
 0  2016-07-04 03:45:42

At the end, I just removed the template, and let ES guest the field type. 最后,我只是删除了模板,然后让ES来宾访问字段类型。 It did work. 它确实起作用。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在 Elastic 中搜索过滤器和应该的模板 - Search Template in Elastic for filter and should 弹性搜索未使用logstash中的已定义模板进行映射 - Defined Template from logstash not being used by elastic search for mapping Elasticsearch Filebeat 忽略自定义索引模板并使用默认 filebeat 索引模板覆盖 output 索引的映射 - Elasticsearch Filebeat ignores custom index template and overwrites output index's mapping with default filebeat index template Wordpress Pods:模板中的索引 - Wordpress Pods: Index in Template Golang索引模板包括 - Golang index template including WordPress自定义子模板,模板中的模板 - Wordpress custom sub template, Template within template 我们可以将NGINX用作模板引擎的Webapp吗 - Can we use NGINX as webapp for template engine Android Studio自定义模板 - Android Studio custom template 自定义模板在 wordpress 中不起作用 - Custom Template not working in wordpress 怪异的自定义模板过滤器? - Spooky Custom Template Filter?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM