我编写了一个 Logstash 配置文件,其中包含三个文件输入(它们都是日志文件)、三个过滤器(每个过滤器具有不同的模式)和三个弹性搜索输出(每个都进入不同的索引)。每个索引根据其输入类型具有不同的模板,并且索引按周分区。
该问题发生在所描述的配置文件运行时,索引模板被忽略并且不会对索引创建生效。
模板在这种情况下不起作用:
input {
file {
path => ["/path/to/file.log"]
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
type => 'type_1'
}
file {
path => "/path/to/file2.log"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
type => 'type_2'
}
file {
path => ["/path/to/file3.log"]
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
type => 'type_3'
}
}
filter {
if [type] == "type_1" {
csv {
columns => ["column1","column2","column3"]
separator => "|"
}
date {
match => [ "column3", "EEE MMM dd HH:mm:ss zzz yyyy" ]
target => "@timestamp"
}
date {
match => [ "column3", "EEE MMM dd HH:mm:ss zzz yyyy" ]
target => "column3"
}
mutate {
remove_field => [ "message" ]
remove_field => [ "path" ]
remove_field => [ "host" ]
}
}
if [type] == "type_2" {
csv {
columns => ["column1","column2",]
separator => "|"
}
mutate {
remove_field => [ "message" ]
remove_field => [ "path" ]
remove_field => [ "host" ]
convert => { "column1" => "float" }
}
date {
match => [ "column2", "EEE MMM dd HH:mm:ss zzz yyyy" ]
target => "@timestamp"
}
date {
match => [ "column2", "EEE MMM dd HH:mm:ss zzz yyyy" ]
target => "column2"
}
}
if [type] == "type_3" {
csv {
columns => ["column1","column2","column3","column4"]
separator => "|"
}
mutate {
remove_field => [ "message" ]
remove_field => [ "path" ]
remove_field => [ "host" ]
convert => { "column3" => "float" }
convert => { "column1" => "float" }
}
date {
match => [ "column4", "EEE MMM dd HH:mm:ss zzz yyyy" ]
target => "@timestamp"
}
date {
match => [ "column4", "EEE MMM dd HH:mm:ss zzz yyyy" ]
target => "column4"
}
}
}
output {
if [type] == "type_1" {
elasticsearch {
hosts => ["localhost:9200"]
index => "type_1-%{+xxxx.ww}"
}
}
if [type] == "type_2" {
elasticsearch {
hosts => ["localhost:9200"]
index => "type_2-%{+xxxx.ww}"
}
}
if [type] == "type_3" {
elasticsearch {
hosts => ["localhost:9200"]
index => "type_3-%{+xxxx.ww}"
}
}
}
相反,当每个输入文件类型、过滤器和弹性搜索输出使用单个配置文件时,模板可以正常工作。
模板在这里工作正常:
input {
file {
path => ["/path/to/file.log"]
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
}
filter {
csv {
columns => ["column1","column2","column3"]
separator => "|"
}
date {
match => [ "column3", "EEE MMM dd HH:mm:ss zzz yyyy" ]
target => "@timestamp"
}
date {
match => [ "column3", "EEE MMM dd HH:mm:ss zzz yyyy" ]
target => "column3"
}
mutate {
remove_field => [ "message" ]
remove_field => [ "path" ]
remove_field => [ "host" ]
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "type_1-%{+xxxx.ww}"
}
}
我已经在配置文件中使用了以下参数:
- 模板 => “file_name.json”
- 模板覆盖=>“真”
- 管理模板 => “真”
- 模板名称 => "模板名称"
但他们没有帮助。
以前有人遇到过这个错误吗?
(我正在使用 elasticsearch 2.3.2 和 logstash 2.3.2)
任何帮助将不胜感激
我的模板
type_1
curl -X PUT 'localhost:9200/_template/type_1' -d '
{
"template": "type_1*",
"settings" : {
"index" : {
"refresh_interval" : "30s"
}
},
"mappings": {
"logs" : {
"_all": {
"enabled": false
},
"_source": {
"enabled": false
},
"dynamic": "strict",
"properties" : {
"column3" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis",
"norms": {
"enabled": false
}
},
"@timestamp" : {
"format" : "strict_date_optional_time||epoch_millis",
"type" : "date",
"norms": {
"enabled": false
}
},
"column2" : {
"type" : "string",
"index": "not_analyzed"
},
"column1" : {
"type" : "string",
"index": "not_analyzed"
},
"@version" : {
"type" : "string",
"norms": {
"enabled": false
}
}
}
}
}
}';
类型_2
curl -X PUT 'localhost:9200/_template/type_2' -d '
{
"template": "type_2*",
"settings" : {
"index" : {
"refresh_interval" : "30s"
}
},
"mappings": {
"logs" : {
"_all": {
"enabled": false
},
"_source": {
"enabled": false
},
"dynamic": "strict",
"properties" : {
"column2" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis",
"norms": {
"enabled": false
}
},
"@timestamp" : {
"format" : "strict_date_optional_time||epoch_millis",
"type" : "date",
"norms": {
"enabled": false
}
},
"column1" : {
"type" : "float",
"index": "not_analyzed"
},
"@version" : {
"type" : "string",
"norms": {
"enabled": false
}
}
}
}
}
}';
类型_3
curl -X PUT 'localhost:9200/_template/type_3' -d '
{
"template": "type_3*",
"settings" : {
"index" : {
"refresh_interval" : "30s"
}
},
"mappings": {
"logs" : {
"_all": {
"enabled": false
},
"_source": {
"enabled": false
},
"dynamic": "strict",
"properties" : {
"column4" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis",
"norms": {
"enabled": false
}
},
"@timestamp" : {
"format" : "strict_date_optional_time||epoch_millis",
"type" : "date",
"norms": {
"enabled": false
}
},
"column3" : {
"type" : "float",
"index": "not_analyzed"
},
"column2" : {
"type" : "string",
"index": "not_analyzed"
},
"column1" : {
"type" : "float",
"index": "not_analyzed"
},
"@version" : {
"type" : "string",
"norms": {
"enabled": false
}
}
}
}
}
}';