Logstash弹性搜索输出自定义模板不起作用
[英]Logstash elastic search output custom template not working
问题描述
My logstash config is something like the following 
我的logstash配置如下所示
if "user" in [tags] {
elasticsearch {
hosts => ["localhost:9200"]
action => "index"
index => "user-%{+YYYY.MM.dd}"
template => '/path/to/elastic-template.json'
flush_size => 50
}
}
And the json template contains the lines 并且json模板包含以下行
"fields" : {
"{name}" : {"type": "string", "index" : "analyzed", "omit_norms" : true, "index_options" : "docs"},
"{name}.raw" : {"type": "string", "index" : "not_analyzed", "ignore_above" : 256}
}
So I assume the .raw can be used when searching or generating the visualization. 因此,我假设在搜索或生成可视化效果时可以使用.raw 。
However, I removed the existing index and rebuild again, I can see the data, but I still cannot find the .raw field either Kibana's settings, discover or visualize 但是,我删除了现有索引并再次重建,可以看到数据,但是仍然找不到Kibana的设置,发现或可视化的.raw字段。
How to use the .raw field? 如何使用.raw字段?
2 个解决方案
解决方案1
0 2016-08-25 15:45:18
The template you posted isn't even valid JSON. 您发布的模板甚至不是有效的JSON。 If you want to apply a raw field as in not_analyzed you have to do it like this: 如果要像not_analyzed一样应用raw字段, not_analyzed必须这样做:
"action" : {
"type" : "string",
"fields" : {
"raw" : {
"index" : "not_analyzed",
"type" : "string"
}
}
}
This will create a action.raw field. 这将创建一个action.raw字段。
解决方案2
0 2017-08-10 07:16:20
I encountered same issue. 我遇到了同样的问题。 I used ES5.5.1 and logstash 5.5.1 , below is my template file 我使用了ES5.5.1和logstash 5.5.1 ,下面是我的模板文件
{
"template": "access_log",
"settings": {
"index.refresh_interval" : "5s"
},
"mappings": {
"log": {
"properties":{
"geoip":{
"properties":{
"location" : {
"type" : "geo_point",
"index": "false"
}
}
}
}
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.