logstash如何处理字段为ESdate_range类型?
How logstash process field for ES date_range type?
这里是目标 Elasticsearch 索引的映射:
"mappings": {
"_doc": {
"properties": {
"start_time": {
"format": "epoch_millis",
"type": "date"
},
"channel": {
"type": "keyword"
},
"end_time": {
"format": "epoch_millis",
"type": "date"
},
"range_time": {
"format": "epoch_millis",
"type": "date_range"
}
}
}
}
这是我的相关 logstash 配置文件:
filter {
mutate {
split => ["message", "|"]
add_field => {
"start_time" => "%{[message][1]}"
"end_time" => "%{[message][2]}"
"channel" => "%{[message][5]}"
**"range_time" => [
"%{[message][1]}",
"%{[message][2]}"
]**
}
remove_field => "message"
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => [ "localhost" ]
index => "test_live"
}
}
我的问题是如何编写 "range_time" => 部分 ([mutate][add_field][range_time]) 以传送 date_range 类型的数据到 ES。
在控制台中,我得到了这样的输出:
{
"@timestamp" => 2021-04-19T01:46:40.617Z,
"start_time" => "20210401001401",
"end_time" => "20210401001408",
"range_time" => [
[0] "20210401001401",
[1] "20210401001408"
],
"host" => "localhost.localdomain",
"channel" => "SCTV-2",
"path" => "/**/",
"@version" => "1"
}
但输出无法正确写入数据到索引。
我该怎么做?
一个 date_range 字段包含两个名为 gte 和 lte 的字段。
所以你只需要这样做:
add_field => {
...
"[range_time][gte]" => "%{[message][1]}"
"[range_time][lte]" => "%{[message][2]}"
}
这里是目标 Elasticsearch 索引的映射:
"mappings": {
"_doc": {
"properties": {
"start_time": {
"format": "epoch_millis",
"type": "date"
},
"channel": {
"type": "keyword"
},
"end_time": {
"format": "epoch_millis",
"type": "date"
},
"range_time": {
"format": "epoch_millis",
"type": "date_range"
}
}
}
}
这是我的相关 logstash 配置文件:
filter {
mutate {
split => ["message", "|"]
add_field => {
"start_time" => "%{[message][1]}"
"end_time" => "%{[message][2]}"
"channel" => "%{[message][5]}"
**"range_time" => [
"%{[message][1]}",
"%{[message][2]}"
]**
}
remove_field => "message"
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => [ "localhost" ]
index => "test_live"
}
}
我的问题是如何编写 "range_time" => 部分 ([mutate][add_field][range_time]) 以传送 date_range 类型的数据到 ES。 在控制台中,我得到了这样的输出:
{
"@timestamp" => 2021-04-19T01:46:40.617Z,
"start_time" => "20210401001401",
"end_time" => "20210401001408",
"range_time" => [
[0] "20210401001401",
[1] "20210401001408"
],
"host" => "localhost.localdomain",
"channel" => "SCTV-2",
"path" => "/**/",
"@version" => "1"
}
但输出无法正确写入数据到索引。 我该怎么做?
一个 date_range 字段包含两个名为 gte 和 lte 的字段。
所以你只需要这样做:
add_field => {
...
"[range_time][gte]" => "%{[message][1]}"
"[range_time][lte]" => "%{[message][2]}"
}