在同一个Logstash配置文件中使用多个Elsticsearch输出时,将忽略模板
[英]Templates being ignored when multiple Elsticsearch outputs are used in the same Logstash config file
问题描述
我写了一个Logstash配置文件,其中包含三个文件输入(所有这些都是日志文件),三个过滤器(每个都有不同的模式)和三个elasticsearch输出(每个输出转到不同的索引)。 每个索引根据其输入类型具有不同的模板,索引按周分区。
当所描述的配置文件运行时,会发生问题,索引模板将被忽略,并且不会对索引创建生效。
在这种情况下,模板不起作用:
input {
file {
path => ["/path/to/file.log"]
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
type => 'type_1'
}
file {
path => "/path/to/file2.log"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
type => 'type_2'
}
file {
path => ["/path/to/file3.log"]
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
type => 'type_3'
}
}
filter {
if [type] == "type_1" {
csv {
columns => ["column1","column2","column3"]
separator => "|"
}
date {
match => [ "column3", "EEE MMM dd HH:mm:ss zzz yyyy" ]
target => "@timestamp"
}
date {
match => [ "column3", "EEE MMM dd HH:mm:ss zzz yyyy" ]
target => "column3"
}
mutate {
remove_field => [ "message" ]
remove_field => [ "path" ]
remove_field => [ "host" ]
}
}
if [type] == "type_2" {
csv {
columns => ["column1","column2",]
separator => "|"
}
mutate {
remove_field => [ "message" ]
remove_field => [ "path" ]
remove_field => [ "host" ]
convert => { "column1" => "float" }
}
date {
match => [ "column2", "EEE MMM dd HH:mm:ss zzz yyyy" ]
target => "@timestamp"
}
date {
match => [ "column2", "EEE MMM dd HH:mm:ss zzz yyyy" ]
target => "column2"
}
}
if [type] == "type_3" {
csv {
columns => ["column1","column2","column3","column4"]
separator => "|"
}
mutate {
remove_field => [ "message" ]
remove_field => [ "path" ]
remove_field => [ "host" ]
convert => { "column3" => "float" }
convert => { "column1" => "float" }
}
date {
match => [ "column4", "EEE MMM dd HH:mm:ss zzz yyyy" ]
target => "@timestamp"
}
date {
match => [ "column4", "EEE MMM dd HH:mm:ss zzz yyyy" ]
target => "column4"
}
}
}
output {
if [type] == "type_1" {
elasticsearch {
hosts => ["localhost:9200"]
index => "type_1-%{+xxxx.ww}"
}
}
if [type] == "type_2" {
elasticsearch {
hosts => ["localhost:9200"]
index => "type_2-%{+xxxx.ww}"
}
}
if [type] == "type_3" {
elasticsearch {
hosts => ["localhost:9200"]
index => "type_3-%{+xxxx.ww}"
}
}
}
相反,当单个配置文件用于每个输入文件类型,过滤器和弹性搜索输出时,模板工作正常。
模板在这里工作正常:
input {
file {
path => ["/path/to/file.log"]
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
}
filter {
csv {
columns => ["column1","column2","column3"]
separator => "|"
}
date {
match => [ "column3", "EEE MMM dd HH:mm:ss zzz yyyy" ]
target => "@timestamp"
}
date {
match => [ "column3", "EEE MMM dd HH:mm:ss zzz yyyy" ]
target => "column3"
}
mutate {
remove_field => [ "message" ]
remove_field => [ "path" ]
remove_field => [ "host" ]
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "type_1-%{+xxxx.ww}"
}
}
我已经在配置文件中使用了以下参数:
- template =>“file_name.json”
- template_overwrite =>“true”
- manage_template =>“true”
- template_name =>“template_name”
但他们没有帮助。
有没有人之前有这个错误?
(我正在使用elasticsearch 2.3.2和logstash 2.3.2)
任何帮助将不胜感激
我的模板
TYPE_1
curl -X PUT 'localhost:9200/_template/type_1' -d '
{
"template": "type_1*",
"settings" : {
"index" : {
"refresh_interval" : "30s"
}
},
"mappings": {
"logs" : {
"_all": {
"enabled": false
},
"_source": {
"enabled": false
},
"dynamic": "strict",
"properties" : {
"column3" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis",
"norms": {
"enabled": false
}
},
"@timestamp" : {
"format" : "strict_date_optional_time||epoch_millis",
"type" : "date",
"norms": {
"enabled": false
}
},
"column2" : {
"type" : "string",
"index": "not_analyzed"
},
"column1" : {
"type" : "string",
"index": "not_analyzed"
},
"@version" : {
"type" : "string",
"norms": {
"enabled": false
}
}
}
}
}
}';
TYPE_2
curl -X PUT 'localhost:9200/_template/type_2' -d '
{
"template": "type_2*",
"settings" : {
"index" : {
"refresh_interval" : "30s"
}
},
"mappings": {
"logs" : {
"_all": {
"enabled": false
},
"_source": {
"enabled": false
},
"dynamic": "strict",
"properties" : {
"column2" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis",
"norms": {
"enabled": false
}
},
"@timestamp" : {
"format" : "strict_date_optional_time||epoch_millis",
"type" : "date",
"norms": {
"enabled": false
}
},
"column1" : {
"type" : "float",
"index": "not_analyzed"
},
"@version" : {
"type" : "string",
"norms": {
"enabled": false
}
}
}
}
}
}';
TYPE_3
curl -X PUT 'localhost:9200/_template/type_3' -d '
{
"template": "type_3*",
"settings" : {
"index" : {
"refresh_interval" : "30s"
}
},
"mappings": {
"logs" : {
"_all": {
"enabled": false
},
"_source": {
"enabled": false
},
"dynamic": "strict",
"properties" : {
"column4" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis",
"norms": {
"enabled": false
}
},
"@timestamp" : {
"format" : "strict_date_optional_time||epoch_millis",
"type" : "date",
"norms": {
"enabled": false
}
},
"column3" : {
"type" : "float",
"index": "not_analyzed"
},
"column2" : {
"type" : "string",
"index": "not_analyzed"
},
"column1" : {
"type" : "float",
"index": "not_analyzed"
},
"@version" : {
"type" : "string",
"norms": {
"enabled": false
}
}
}
}
}
}';
1 个解决方案
解决方案1
0 2016-09-26 18:23:36
我找到了解决方案
Losgstash配置文件使用type =>'type_1'来区分输入文件,filteres和Elasticsearch输出,还定义了模板类型和名为“type”的新字段。
我们在映射模板“logs”中使用了默认类型,并且我们没有考虑logstash配置文件中定义的'type_1'。 因此,模板被忽略了。
解决方案:更改模板映射中的类型问题得到解决。
例如:
curl -X PUT 'localhost:9200/_template/type_1' -d '
{
"template": "type_1*",
"settings" : {
"index" : {
"refresh_interval" : "30s"
}
},
"mappings": {
"type_1" : {
"_all": {
"enabled": false
},
"_source": {
"enabled": false
},
"dynamic": "strict",
"properties" : {
"column3" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis",
"norms": {
"enabled": false
}
},
"@timestamp" : {
"format" : "strict_date_optional_time||epoch_millis",
"type" : "date",
"norms": {
"enabled": false
}
},
"column2" : {
"type" : "string",
"index": "not_analyzed"
},
"column1" : {
"type" : "string",
"index": "not_analyzed"
},
"@version" : {
"type" : "string",
"norms": {
"enabled": false
}
}
}
}
}
}';
logstash :使用一个 logstash conf 文件创建多个索引
[英]logstash : creating multiple indices using one logstash conf file
对于Jersey / JAXB,是否可以使用相同的POJO作为“父”和“子”,但在用作“孩子”时删除某些属性?
[英]For Jersey/JAXB, is it possible to use the same POJO as both 'parent' and 'child' but remove certain attributes when being used as a 'child'?
当一个文件中的值用作另一个文件的参数时,如何将多个JSON文件传递给Onservable数组?
[英]How to pass multiple JSON file to Onservable Arrays when value in one file is used as argument for another file?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
将 json 文件导入 elticsearch
Logstash-运行配置文件时错误注册插件
如何在Logstash配置文件中包含过滤器?
logstash :使用一个 logstash conf 文件创建多个索引
JSON 输入到多个 excel 文件输出
对于Jersey / JAXB,是否可以使用相同的POJO作为“父”和“子”,但在用作“孩子”时删除某些属性?
杰克逊注释被忽略了
@JsonIgnore 和 @JsonBackReference 被忽略
如何在Logstash中过滤具有相同名称的多个字段?
当一个文件中的值用作另一个文件的参数时,如何将多个JSON文件传递给Onservable数组?
相关标签