elasticsearch 如何在logstash elasticsearch中使用_时间戳

我想知道如何使用logstash

我已尝试添加到映射中：

   "_timestamp" : {
      "enabled" : true,
      "path" : "@timestamp"
   },

但这并没有达到预期效果。我在

elasticsearch template.json

文件中这样做（我尝试了使用和不使用

“store”=true

）：

我将修改后的文件添加到输出过滤器中

output {
  elasticsearch_http {
    template => '/tmp/elasticsearch-template.json'
    host => '127.0.0.1'
    port=>9200
  }
}

为了确保数据库干净，我反复执行以下操作：

curl -XDELETE http://localhost:9200/logstash*
curl -XDELETE http://localhost:9200/_template/logstash
rm ~/.sincedb_*

然后我尝试导入我的日志文件。但由于某些原因，

\u时间戳

未设置

映射似乎还可以

{
  "logstash-2014.03.24" : {
    "_default_" : {
      "dynamic_templates" : [ {
        "string_fields" : {
          "mapping" : {
            "index" : "analyzed",
            "omit_norms" : true,
            "type" : "string",
            "fields" : {
              "raw" : {
                "index" : "not_analyzed",
                "ignore_above" : 256,
                "type" : "string"
              }
            }
          },
          "match" : "*",
          "match_mapping_type" : "string"
        }
      } ],
      "_timestamp" : {
        "enabled" : true,
        "store" : true,
        "path" : "@timestamp"
      },
      "properties" : {
        "@version" : {
          "type" : "string",
          "index" : "not_analyzed",
          "omit_norms" : true,
          "index_options" : "docs"
        },
        "geoip" : {
          "dynamic" : "true",
          "properties" : {
            "location" : {
              "type" : "geo_point"
            }
          }
        }
      }
    },
    "logs" : {
      "dynamic_templates" : [ {
        "string_fields" : {
          "mapping" : {
            "index" : "analyzed",
            "omit_norms" : true,
            "type" : "string",
            "fields" : {
              "raw" : {
                "index" : "not_analyzed",
                "ignore_above" : 256,
                "type" : "string"
              }
            }
          },
          "match" : "*",
          "match_mapping_type" : "string"
        }
      } ],
      "_timestamp" : {
        "enabled" : true,
        "store" : true,
        "path" : "@timestamp"
      },
      "properties" : {
        "@timestamp" : {
          "type" : "date",
          "format" : "dateOptionalTime"
        },

数据库中的文档看起来像

 {
    "_id": "Cps2Lq1nTIuj_VysOwwcWw", 
    "_index": "logstash-2014.03.25", 
    "_score": 1.0, 
    "_source": {
      "@timestamp": "2014-03-25T00:47:09.703Z", 
      "@version": "1", 
      "created": "2014-03-25 01:47:09,703", 
      "host": "macbookpro.fritz.box", 
      "message": "2014-03-25 01:47:09,703 - Starting new HTTP connection (1): localhost", 
      "path": "/Users/scharf/git/ckann/annotator-store/logs/requests.log", 
      "text": "Starting new HTTP connection (1): localhost"
    }, 
    "_type": "logs"
  }, 

---

为什么时间戳没有设置？

简而言之，它确实有效

我测试了你的具体场景，我发现：

当使用启用的源代码并从

\u源代码中的某个路径指定
\u时间戳
时，
您将永远不会看到
\u timestamp
作为文档的一部分，但是如果添加
？字段
查询字符串部分，例如：

http://:9200/es_test_logs/ESTest1/ilq4PU3tR9SeoLo794wZlg？字段=_timestamp
您将获得正确的时间戳值

如果不使用path，而是将
\u timestamp
传递到外部（在
\u source
文档中），您将正常看到文档中
\u timestamp
属性下的
\u source

如果禁用
\u source
字段，则在文档中根本看不到任何属性，即使是设置为“
store”：true的属性。只有在指定
？字段时，或在生成返回这些字段的查询时，才能看到这些字段

 {
    "_id": "Cps2Lq1nTIuj_VysOwwcWw", 
    "_index": "logstash-2014.03.25", 
    "_score": 1.0, 
    "_source": {
      "@timestamp": "2014-03-25T00:47:09.703Z", 
      "@version": "1", 
      "created": "2014-03-25 01:47:09,703", 
      "host": "macbookpro.fritz.box", 
      "message": "2014-03-25 01:47:09,703 - Starting new HTTP connection (1): localhost", 
      "path": "/Users/scharf/git/ckann/annotator-store/logs/requests.log", 
      "text": "Starting new HTTP connection (1): localhost"
    }, 
    "_type": "logs"
  },