如何在带有标签的 logstash 中创建多索引
how to create multi-index in logstash whith tags
我有 2 个目录,我希望每个目录在 elasticsearch 中都是不同的索引这是 .conf 文件
input {
stdin { type => "stdin-type"}
file{
path => "/home/falcoroot/development/falco/Jsons/**/*.json"
add_tag => ["post"]
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
file{
path => "/home/falcoroot/development/falco/Clasificados/**/*.json"
add_tag => ["class"]
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
}
output {
stdout {
codec=>dots
}
if "post" in [tags]{
elasticsearch {
hosts => "localhost"
index => "facebook"
document_type => "posts"
document_id => "%{id}"
}
}
if "class" in [tags]{
elasticsearch {
hosts => "localhost"
index => "clasificados"
document_type => "posts"
document_id => "%{id}"
}
}
如果有人知道我做错了什么,请告诉我,或者告诉我创建不同索引的正确方法 whit logstash
首先,最后少了一个大括号,但我想这只是一个复制问题。而不是使用标签,为什么不使用如下类型......另外,在索引名称中添加像日期这样的可变部分总是一个好主意。
另一件事:在 elasticsearch 中,将 "index" 视为数据库,而 "type" 就像 table。也许您想使用相同的索引,但使用不同的类型?
这个配置对我有用:
input {
stdin { type => "stdin-type"}
file{
path => "/home/falcoroot/development/falco/Jsons/**/*.json"
type => "facebook"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
file{
path => "/home/falcoroot/development/falco/Clasificados/**/*.json"
type => "clasificados"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
}
output {
stdout {
codec=>dots
}
if [type] in ["clasificados", "facebook"] {
elasticsearch {
hosts => ["localhost:9200"]
index => "%{type}_%{+YYYY.MM.dd}"
document_type => "posts"
document_id => "%{id}"
}
}
}
我有 2 个目录,我希望每个目录在 elasticsearch 中都是不同的索引这是 .conf 文件
input {
stdin { type => "stdin-type"}
file{
path => "/home/falcoroot/development/falco/Jsons/**/*.json"
add_tag => ["post"]
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
file{
path => "/home/falcoroot/development/falco/Clasificados/**/*.json"
add_tag => ["class"]
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
}
output {
stdout {
codec=>dots
}
if "post" in [tags]{
elasticsearch {
hosts => "localhost"
index => "facebook"
document_type => "posts"
document_id => "%{id}"
}
}
if "class" in [tags]{
elasticsearch {
hosts => "localhost"
index => "clasificados"
document_type => "posts"
document_id => "%{id}"
}
}
如果有人知道我做错了什么,请告诉我,或者告诉我创建不同索引的正确方法 whit logstash
首先,最后少了一个大括号,但我想这只是一个复制问题。而不是使用标签,为什么不使用如下类型......另外,在索引名称中添加像日期这样的可变部分总是一个好主意。
另一件事:在 elasticsearch 中,将 "index" 视为数据库,而 "type" 就像 table。也许您想使用相同的索引,但使用不同的类型?
这个配置对我有用:
input {
stdin { type => "stdin-type"}
file{
path => "/home/falcoroot/development/falco/Jsons/**/*.json"
type => "facebook"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
file{
path => "/home/falcoroot/development/falco/Clasificados/**/*.json"
type => "clasificados"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
}
output {
stdout {
codec=>dots
}
if [type] in ["clasificados", "facebook"] {
elasticsearch {
hosts => ["localhost:9200"]
index => "%{type}_%{+YYYY.MM.dd}"
document_type => "posts"
document_id => "%{id}"
}
}
}