如何在 logstash 过滤器中添加自动删除字段
[英]how to add auto remove field in logstash filter
问题描述
I am trying to add a _ttl field in logstash so that elasticsearch removes the document after a while, 120 seconds in this case but that's for testing.
我正在尝试在logstash中添加一个_ttl字段,以便elasticsearch在一段时间后删除文档,在这种情况下为120秒,但这是为了测试。
filter {
if "drop" in [message] {
drop { }
}
add_field => { "_ttl" => "120s" }
}
but now nothing is logged in elasticsearch.但现在 elasticsearch 中没有任何记录。
I have 2 questions.我有 2 个问题。 Where is logged what is going wrong, maybe the syntax of the filter is wrong?在哪里记录出了什么问题,也许过滤器的语法错误?
How do I add a ttl field to elasticsearch for auto removal?如何将 ttl 字段添加到 elasticsearch 以进行自动删除?
1 个解决方案
解决方案1
2 已采纳 2022-08-10 07:38:17
When you add a filter to logstash.conf with a mutator it works:当您使用 mutator 向 logstash.conf 添加过滤器时,它会起作用:
filter {
mutate {
add_field => { "_ttl" => "120s" }
}
}
POST myindex/_search
{
"query": {
"match_all": {}
}
}
Results:结果:
"hits": [
{
"_index": "myindex",
...................
"_ttl": "120s",
For the other question, cant really help there.对于另一个问题,真的帮不上忙。 Im running logstash as container so logging is read with:我将 logstash 作为容器运行,因此使用以下命令读取日志记录:
docker logs d492eb3c3d0d
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.