stackoom
  简体   繁体   中英

how to add auto remove field in logstash filter

 原文  2022-08-10 07:26:13       elasticsearch/ logstash

Question

I am trying to add a _ttl field in logstash so that elasticsearch removes the document after a while, 120 seconds in this case but that's for testing.

filter {
    if "drop" in [message] {
        drop { }
    }

    add_field => { "_ttl" => "120s" }
}

but now nothing is logged in elasticsearch.

I have 2 questions. Where is logged what is going wrong, maybe the syntax of the filter is wrong?

How do I add a ttl field to elasticsearch for auto removal?

1 answers

solution1
 2 ACCPTED  2022-08-10 07:38:17

When you add a filter to logstash.conf with a mutator it works:

filter {
    mutate {
        add_field => { "_ttl" => "120s" }
    }
}

POST myindex/_search
{
  "query": {
    "match_all": {}
  }
}

Results:

"hits": [
  {
    "_index": "myindex",
      ...................
      "_ttl": "120s",

For the other question, cant really help there. Im running logstash as container so logging is read with:

docker logs d492eb3c3d0d

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to add a field from a file in logstash filter How remove date from field? (Logstash) How to add new timestamp field on logstash? How to add a field to kibana via logstash how to extract a portion of a field and store it into another field in logstash filter? How to remove all fields with NULL value in Logstash filter How to convert a string to data field in logstash filter plugin how to parse and extract specific fields and store it into another field in logstash filter? Remove an event field and reference it in Logstash How to do this filter in logstash
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM