是否仍支持 Kibana 日期格式索引模式?
Is Kibana date format index pattern still supported?
我得到了最新的 Kibana 5.4.0,文档说:
https://www.elastic.co/guide/en/kibana/current/index-patterns.html#settings-create-pattern
To use an event time in an index name, enclose the static text in the pattern and specify the date format using the tokens described in the following table.
For example, [logstash-]YYYY.MM.DD matches all indices whose names have a timestamp of the form YYYY.MM.DD appended to the prefix logstash-, such as logstash-2015.01.31 and logstash-2015-02-01.
当我尝试创建模式 [testx_]YYYY-MM-DD_HH-mm 或 [testx_]YYYY-MM-DD_HH 或 [testx_]YYYY-MM-DD 时,Kibana 找不到 @timstamp 字段并说 none 的索引与这些模式匹配。
GET _cat/indices
yellow open testx_2017-06-19_14 dHAfSzAuSEKpYLuA8p5EIw 1 1 1 0 4.6kb 4.6k
yellow open testx_2017-06-19_13-59 hfGkELCsSUavaX8GuLPuMQ 1 1 1 0 4.6kb 4.6kb
yellow open testx_2017-06-19 lbsdW18cSIuZ2bNn1Fw7WA 1 1 1 0 4.6kb 4.6kb
另一方面,对于 testx_* 模式,Kibana 找到 @timestamp 字段并匹配 100% 的索引...
最新的 Kibana 是否支持基于时间的索引名称?
我想从索引命名架构中获得性能优势,如果它仍然合适的话...
更新
出了什么问题:
一些警告:
更新 2 我发现 https://www.elastic.co/blog/managing-time-based-indices-efficiently 促进了“翻转模式”。在索引名称中维护 date/time 不再是推荐的方式,但我怀疑新的 API 让生活更轻松 ((
根据这些问题:
- https://github.com/elastic/kibana/issues/5447 - 默认的 Logstash 索引模式应该是“[logstash-]YYYY.MM.DD”,而不是“logstash-*”
Kibana 4.3.0 should address this for you: it automatically optimizes wildcard index patterns such as logstash-* in the same way that you could previously only achieve by manually configuring a time-based index pattern name that matches your underlying indexing scheme (e.g. [logstash-]YYYY.MM.DD).
- https://github.com/elastic/kibana/issues/4342 - 无论基础索引策略如何,都可以有效地搜索通配符索引
Elasticsearch 1.6 introduced the _field_stats API which will, for the first time, allow us to search for indices that contain fields within a given range. For example, we can search for indices that contain an @timestamp between X and Y.
This means that users will no longer be required to roll their indices at UTC midnight, nor use date patterns at all. They can effectively name indices whatever they want. and Kibana can automatically optimize requests by firing a pre-flight request for indices. We might need to add some caching here, but it should greatly enhance usability.
性能不需要基于时间的名称,但保留基于时间的索引名称对于归档旧索引仍然有用。
更新 创建问题以从文档中删除基于时间的模式。 https://github.com/elastic/kibana/issues/12406
之前版本的 Elasticsearch 允许自动添加@timestamp 等字段。
https://www.elastic.co/guide/en/elasticsearch/reference/current/breaking_50_mapping_changes.html
因此索引不包含基于时间的事件,或者换句话说,没有包含日期时间字段的字段。
我将 json 日志直接转储到 elasticsearch 并在添加到 elasticsearch 之前添加时间戳。所以在创建索引时我 select 我定义的时间戳字段。
我得到了最新的 Kibana 5.4.0,文档说:
https://www.elastic.co/guide/en/kibana/current/index-patterns.html#settings-create-pattern
To use an event time in an index name, enclose the static text in the pattern and specify the date format using the tokens described in the following table.
For example,
[logstash-]YYYY.MM.DDmatches all indices whose names have a timestamp of the formYYYY.MM.DDappended to the prefixlogstash-, such aslogstash-2015.01.31andlogstash-2015-02-01.
当我尝试创建模式 [testx_]YYYY-MM-DD_HH-mm 或 [testx_]YYYY-MM-DD_HH 或 [testx_]YYYY-MM-DD 时,Kibana 找不到 @timstamp 字段并说 none 的索引与这些模式匹配。
GET _cat/indices
yellow open testx_2017-06-19_14 dHAfSzAuSEKpYLuA8p5EIw 1 1 1 0 4.6kb 4.6k
yellow open testx_2017-06-19_13-59 hfGkELCsSUavaX8GuLPuMQ 1 1 1 0 4.6kb 4.6kb
yellow open testx_2017-06-19 lbsdW18cSIuZ2bNn1Fw7WA 1 1 1 0 4.6kb 4.6kb
另一方面,对于 testx_* 模式,Kibana 找到 @timestamp 字段并匹配 100% 的索引...
最新的 Kibana 是否支持基于时间的索引名称?
我想从索引命名架构中获得性能优势,如果它仍然合适的话...
更新
出了什么问题:
一些警告:
更新 2 我发现 https://www.elastic.co/blog/managing-time-based-indices-efficiently 促进了“翻转模式”。在索引名称中维护 date/time 不再是推荐的方式,但我怀疑新的 API 让生活更轻松 ((
根据这些问题:
- https://github.com/elastic/kibana/issues/5447 - 默认的 Logstash 索引模式应该是“[logstash-]YYYY.MM.DD”,而不是“logstash-*”
Kibana 4.3.0 should address this for you: it automatically optimizes wildcard index patterns such as logstash-* in the same way that you could previously only achieve by manually configuring a time-based index pattern name that matches your underlying indexing scheme (e.g. [logstash-]YYYY.MM.DD).
- https://github.com/elastic/kibana/issues/4342 - 无论基础索引策略如何,都可以有效地搜索通配符索引
Elasticsearch 1.6 introduced the _field_stats API which will, for the first time, allow us to search for indices that contain fields within a given range. For example, we can search for indices that contain an @timestamp between X and Y.
This means that users will no longer be required to roll their indices at UTC midnight, nor use date patterns at all. They can effectively name indices whatever they want. and Kibana can automatically optimize requests by firing a pre-flight request for indices. We might need to add some caching here, but it should greatly enhance usability.
性能不需要基于时间的名称,但保留基于时间的索引名称对于归档旧索引仍然有用。
更新 创建问题以从文档中删除基于时间的模式。 https://github.com/elastic/kibana/issues/12406
之前版本的 Elasticsearch 允许自动添加@timestamp 等字段。 https://www.elastic.co/guide/en/elasticsearch/reference/current/breaking_50_mapping_changes.html 因此索引不包含基于时间的事件,或者换句话说,没有包含日期时间字段的字段。 我将 json 日志直接转储到 elasticsearch 并在添加到 elasticsearch 之前添加时间戳。所以在创建索引时我 select 我定义的时间戳字段。