elasticsearch 如何在logstash elasticsearch中使用_时间戳
我想知道如何使用logstash 我已尝试添加到映射中:elasticsearch 如何在logstash elasticsearch中使用_时间戳,elasticsearch,logstash,elasticsearch,Logstash,我想知道如何使用logstash 我已尝试添加到映射中: "_timestamp" : { "enabled" : true, "path" : "@timestamp" }, 但这并没有达到预期效果。我在elasticsearch template.json文件中这样做(我尝试了使用和不使用“store”=true): 我将修改后的文件添加到输出过滤器中 output { elasticsearch_http { template =>
"_timestamp" : {
"enabled" : true,
"path" : "@timestamp"
},
但这并没有达到预期效果。我在elasticsearch template.json
文件中这样做(我尝试了使用和不使用“store”=true
):
我将修改后的文件添加到输出过滤器中
output {
elasticsearch_http {
template => '/tmp/elasticsearch-template.json'
host => '127.0.0.1'
port=>9200
}
}
为了确保数据库干净,我反复执行以下操作:
curl -XDELETE http://localhost:9200/logstash*
curl -XDELETE http://localhost:9200/_template/logstash
rm ~/.sincedb_*
然后我尝试导入我的日志文件。但由于某些原因,\u时间戳
未设置
映射似乎还可以
{
"logstash-2014.03.24" : {
"_default_" : {
"dynamic_templates" : [ {
"string_fields" : {
"mapping" : {
"index" : "analyzed",
"omit_norms" : true,
"type" : "string",
"fields" : {
"raw" : {
"index" : "not_analyzed",
"ignore_above" : 256,
"type" : "string"
}
}
},
"match" : "*",
"match_mapping_type" : "string"
}
} ],
"_timestamp" : {
"enabled" : true,
"store" : true,
"path" : "@timestamp"
},
"properties" : {
"@version" : {
"type" : "string",
"index" : "not_analyzed",
"omit_norms" : true,
"index_options" : "docs"
},
"geoip" : {
"dynamic" : "true",
"properties" : {
"location" : {
"type" : "geo_point"
}
}
}
}
},
"logs" : {
"dynamic_templates" : [ {
"string_fields" : {
"mapping" : {
"index" : "analyzed",
"omit_norms" : true,
"type" : "string",
"fields" : {
"raw" : {
"index" : "not_analyzed",
"ignore_above" : 256,
"type" : "string"
}
}
},
"match" : "*",
"match_mapping_type" : "string"
}
} ],
"_timestamp" : {
"enabled" : true,
"store" : true,
"path" : "@timestamp"
},
"properties" : {
"@timestamp" : {
"type" : "date",
"format" : "dateOptionalTime"
},
数据库中的文档看起来像
{
"_id": "Cps2Lq1nTIuj_VysOwwcWw",
"_index": "logstash-2014.03.25",
"_score": 1.0,
"_source": {
"@timestamp": "2014-03-25T00:47:09.703Z",
"@version": "1",
"created": "2014-03-25 01:47:09,703",
"host": "macbookpro.fritz.box",
"message": "2014-03-25 01:47:09,703 - Starting new HTTP connection (1): localhost",
"path": "/Users/scharf/git/ckann/annotator-store/logs/requests.log",
"text": "Starting new HTTP connection (1): localhost"
},
"_type": "logs"
},
为什么时间戳没有设置?简而言之,它确实有效 我测试了你的具体场景,我发现: 当使用启用的源代码并从
\u源代码中的某个路径指定\u时间戳
时,
您将永远不会看到\u timestamp
作为文档的一部分,但是如果添加?字段
查询字符串部分,例如:
http://:9200/es_test_logs/ESTest1/ilq4PU3tR9SeoLo794wZlg?字段=_timestamp
您将获得正确的时间戳值
如果不使用path,而是将\u timestamp
传递到外部(在\u source
文档中),您将正常看到文档中\u timestamp
属性下的\u source
如果禁用\u source
字段,则在文档中根本看不到任何属性,即使是设置为“store”:true的属性。只有在指定?字段时,或在生成返回这些字段的查询时,才能看到这些字段
{
"_id": "Cps2Lq1nTIuj_VysOwwcWw",
"_index": "logstash-2014.03.25",
"_score": 1.0,
"_source": {
"@timestamp": "2014-03-25T00:47:09.703Z",
"@version": "1",
"created": "2014-03-25 01:47:09,703",
"host": "macbookpro.fritz.box",
"message": "2014-03-25 01:47:09,703 - Starting new HTTP connection (1): localhost",
"path": "/Users/scharf/git/ckann/annotator-store/logs/requests.log",
"text": "Starting new HTTP connection (1): localhost"
},
"_type": "logs"
},