索引名称未在 Filebeat 中设置为 Elasticsearch - ELK .NET Docker ElasticHQ
[英]Index Name Not Being Set in Filebeat to Elasticsearch - ELK .NET Docker ElasticHQ
问题描述
I am experimenting with some json that has been formatted in accordance with Elasticsearch , so I have gone directly from Filebeat to Elasticsearch, as opposed to going through Logstash .
我正在试验一些按照Elasticsearch格式化的json ,所以我直接从Filebeat转到 Elasticsearch,而不是通过Logstash 。 This is using docker-compose :这是使用docker-compose :
version: '2.2'
services:
elasticsearch:
container_name: elasticsearch
image: docker.elastic.co/elasticsearch/elasticsearch:7.5.2
ports:
- 9200:9200
- 9300:9300
environment:
- discovery.type=single-node
- cluster.name=docker-
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
networks:
- esnet
filebeat:
container_name: filebeat
build:
context: .
dockerfile: filebeat.Dockerfile
volumes:
- ./logs:/var/log
- ./filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml
networks:
- esnet
elastichq:
container_name: elastichq
image: elastichq/elasticsearch-hq
ports:
- 8080:5000
environment:
- HQ_DEFAULT_URL=http://elasticsearch:9200
- HQ_ENABLE_SSL=False
- HQ_DEBUG=FALSE
networks:
- esnet
networks:
esnet:
However, when I open ElasticHQ the index name has been labeled as filebeat-7.5.2-2020.02.10-000001 with a date stamp.但是,当我打开ElasticHQ ,索引名称已被标记为带有日期戳的filebeat-7.5.2-2020.02.10-000001 。 I have specified the index name as Sample in my filebeat.yml .我在filebeat.yml index名称指定为Sample 。 Is there something I am missing, or is this behavior normal?是不是我遗漏了什么,或者这种行为是否正常?
Here is my filebeat.yml这是我的filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/*.json
json.keys_under_root: true
json.add_error_key: true
#----------------------------- Elasticsearch output --------------------------------
output.elasticsearch:
hosts: ["elasticsearch:9200"]
index: "sample-%{+YYYY.MM.dd}"
setup.template.name: "sample"
setup.template.pattern: "sample-*"
It would be more practical to know something predefined so if I use Postman as opposed to ElasticHQ, I can start querying my data without having to look for the index name.知道一些预定义的东西会更实用,所以如果我使用 Postman 而不是 ElasticHQ,我可以开始查询我的数据而无需查找index名称。
1 个解决方案
解决方案1
1 已采纳 2020-02-21 18:27:40
I thinkFilebeat ILM might be taking over instead of the configured index name.我认为Filebeat ILM可能会接管而不是配置的索引名称。
Starting with version 7.0, Filebeat uses index lifecycle management by default when it connects to a cluster that supports lifecycle management.
And when ilm is enabled Filebeat Elasticsearch output index settings are ignored并且当启用 ilm 时 Filebeat Elasticsearch 输出索引设置被忽略
The index setting is ignored when index lifecycle management is enabled.
You might need to disable ILM or better yet configure your desired filename using ILM rollover_alias.您可能需要禁用 ILM 或更好地使用 ILM rollover_alias 配置所需的文件名。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.