elasticsearch 如何将大型json文件输入拆分为不同的弹性搜索索引?,elasticsearch,logstash,logstash-configuration,elasticsearch,Logstash,Logstash Configuration" /> elasticsearch 如何将大型json文件输入拆分为不同的弹性搜索索引?,elasticsearch,logstash,logstash-configuration,elasticsearch,Logstash,Logstash Configuration" />
Fatal编程技术网
  • elasticsearch/
  • elasticsearch 如何将大型json文件输入拆分为不同的弹性搜索索引?

elasticsearch 如何将大型json文件输入拆分为不同的弹性搜索索引?

logstash

elasticsearch 如何将大型json文件输入拆分为不同的弹性搜索索引?,elasticsearch,logstash,logstash-configuration,elasticsearch,Logstash,Logstash Configuration,logstash的输入是 input { file { path => "/tmp/very-large.json" type => "json" start_position => "beginning" sincedb_path => "/dev/null" } 和示例json文件 {"type":"type1", "msg":"..."} {"type":"type2", "msg":

logstash的输入是

input {
    file {
        path => "/tmp/very-large.json"
        type => "json"
        start_position => "beginning"
        sincedb_path => "/dev/null"
    }
和示例json文件

{"type":"type1", "msg":"..."}
{"type":"type2", "msg":"..."}
{"type":"type1", "msg":"..."}
{"type":"type3", "msg":"..."}
是否可以将它们输入到不同的弹性搜索索引中,以便将来可以更轻松地处理它们

我知道如果可以给它们分配一个
标记
,那么我可以做如下操作

if "type1" in [tags] {
    elasticsearch {
        hosts => ["localhost:9200"]
        action => "index"
        index => "logstash-type1%{+YYYY.MM.dd}"
        flush_size => 50
    }
}
如何通过查看特定的json字段值来执行类似的操作,例如,在我上面的示例中,
类型

更简单,只需使用
类型
字段来构建索引名称,如下所示:

elasticsearch {
    hosts => ["localhost:9200"]
    action => "index"
    index => "logstash-%{type}%{+YYYY.MM.dd}"
    flush_size => 50
}
您可以在任何字段上进行比较。您必须首先使用or解析json

然后您将有一个
类型
字段要处理,如下所示:

if [type] == "type1" {
    elasticsearch {
        ...
        index => "logstash-type1%{+YYYY.MM.dd}"
    }
} else if [type] == "type2" {
    elasticsearch {
        ...
        index => "logstash-type2%{+YYYY.MM.dd}"
    }
} ...
或者像瓦尔的回答一样:

elasticsearch {  
    hosts => ["localhost:9200"]  
    action => "index"  
    index => "logstash-%{type}%{+YYYY.MM.dd}"  
    flush_size => 50  
}
答案是正确的,但仅供参考,您可以这样做:if[type]=“type1”