All geek questions in one place

I can set the default elasticsearch logarithmic search through elasticsearch-template.json

I am using logstash + elasticsearch to collect syslog and want to install ttl for aging log

I found a file called elasticsearch-template.json in logstash, the path is logstash / logstash-1.4.2 / lib / logstash / output / elasticsearch / elasticsearch-template.json

I add ttl information to the file as follows:

{ "template" : "logstash-*", "settings" : { "index.refresh_interval" : "5s" }, "mappings" : { "_default_" : { "_all" : {"enabled" : true}, "dynamic_templates" : [ { "string_fields" : { "match" : "*", "match_mapping_type" : "string", "mapping" : { "type" : "string", "index" : "analyzed", "omit_norms" : true, "fields" : { "raw" : {"type": "string", "index" : "not_analyzed", "ignore_above" : 256} } } } } ], "_ttl": { "enabled": true, "default": "1d" }, "properties" : { "@version": { "type": "string", "index": "not_analyzed" }, "geoip" : { "type" : "object", "dynamic": true, "path": "full", "properties" : { "location" : { "type" : "geo_point" } } } } } } }

then restart logstash, remove all elasticsearch indexes. I am checking a new index mapping in elasticsearch, but it does not work this way.

How to customize an index template?

+5
source share
3 answers

you need to change logstash configuration.

if you made the default settings, logstash has already created a template inside elasticsearch called logstash , logstash will continue to use this template stored in elasticsearch unless you specify it explicitly.

modify this template file that you found, but in addition to this, in your start configuration, set the following:

 output { elasticsearch { ... template_overwrite => true ... } }
+8
source

It does not look like the JSON file is in the correct folder. Here is the documentation on how to use the templates: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/indices-templates.html About the folder:

Configuration

Index templates can also be placed in the configuration folder (path.conf) in the templates directory (note, do not forget to put them on all the main suitable nodes). For example, a file called template_1.json can be placed in config / templates, and it will be added if it matches the index. Here is an example of the specified file:

+2
source

I created a new template.json file and defined the path to it in the output block of the elasticsearch logstash.yml configuration file:

 stdout { codec => json_lines } elasticsearch { "hosts" => ["ip:port"] "index" => "name-of-index-%{+dd.MM.YYYY}" template => "/{path-to-logstash-folder}/templates/your-template.json" template_overwrite => true manage_template => false }

document_type for Elastic I specified in the input block of the logstash.yml configuration file:

 input { file { path => "/your-path-to-directory/*.log" type => "name-of-type" } }

There is a template.json file

 { "name-of-index": { "order": 0, "version": 50001, "template": "name-of-index-*", "settings": { "index": { "refresh_interval": "5s" } }, "mappings": { "_default_": { "dynamic_templates": [ { "message_field": { "path_match": "message", "mapping": { "norms": false, "type": "text" }, "match_mapping_type": "string" } }, { "string_fields": { "mapping": { "norms": false, "type": "text", "fields": { "keyword": { "type": "keyword" } } }, "match_mapping_type": "string", "match": "*" } } ], "_all": { "norms": false, "enabled": true }, "properties": { "@timestamp": { "include_in_all": false, "type": "date" }, "geoip": { "dynamic": true, "properties": { "ip": { "type": "ip" }, "latitude": { "type": "half_float" }, "location": { "type": "geo_point" }, "longitude": { "type": "half_float" } } }, "@version": { "include_in_all": false, "type": "keyword" } } } }, "aliases": {} } }
0
source

Source: https://habr.com/ru/post/1209333/

More articles:


All Articles