elasticsearch 中的动态索引与 filebeat
[英]Dynamic index in elasticsearch with filebeat
问题描述
I have installed filebeat on a server and monitoring the below log files
我已经在服务器上安装了 filebeat 并监视以下日志文件
C:\appl\dev\*\*\ms\*\*.log
I have configured filebeat.yml as below我已经配置了 filebeat.yml 如下
filebeat.inputs:
- paths:
- 'C:\appl\dev\*\*\ms\*\*.log'
type: log
processors:
- dissect:
field: log.file.path
tokenizer: "C:\\appl\\dev\\%{field1}\\%{field2}\\ms\\"
I have two requirements,我有两个要求,
one is to get the events with two additional fields filed1 and field2 (this is working as per the above configuration).一种是使用两个额外的字段字段 1 和字段 2 获取事件(这是按照上述配置工作的)。
The other one is to have the index name in elastic appended with this additional field (field1 or field2).另一种方法是在弹性索引名称中附加此附加字段(field1 或 field2)。
Currently index is a variable (index: appname-%{[agent.version]}-%{+yyyy.MM.dd})当前索引是一个变量(index: appname-%{[agent.version]}-%{+yyyy.MM.dd})
I need it to be appname-field1-%{[agent.version]}-%{+yyyy.MM.dd}我需要它是appname-field1-%{[agent.version]}-%{+yyyy.MM.dd}
Please advice请指教
2 个解决方案
解决方案1
1 2020-06-09 06:20:40
In your output configuration, you need to change the index setting , like this:在您的 output 配置中,您需要更改index设置,如下所示:
output.elasticsearch:
hosts: ["http://localhost:9200"]
index: "appname-%{[field1]}-%{[agent.version]}-%{+yyyy.MM.dd}"
解决方案2
1 已采纳 2020-06-09 08:09:24
For me adding output.elasticsearch wasn't enough, had to add setup.template as well对我来说,添加output.elasticsearch还不够,还必须添加setup.template
output.elasticsearch:
hosts: ["http://localhost:9200"]
index: "appname-%{[field1]}-%{[agent.version]}-%{+yyyy.MM.dd}"
setup.template:
name: 'appname'
pattern: 'appname-*'
enabled: false
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.