我有一个包含100条记录的json文件。它的结构是这样的:
"location" : { "type" : "geo_point" }
我需要从Kibana创建一些Geo可视化,所以我已经用这种方式在映射文件中定义了geo_point类型:
input {
stdin {
type => "json"
}
}
filter {
json {
source => "message"
}
mutate {
rename => [ "location", "newlocation" ]
add_field => { "location" => "%{[newlocation][latitude]},%{[newlocation][longitude]}" }
}
}
output {
elasticsearch {
...
}
}
由于location字段必须遵循某种结构(https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-geo-point-type.html),因此我在logstash配置文件中完成了以下操作:
{
"_app1": {
"test": "test"
},
"location": {
"longitude": null,
"latitude": 40.400000000000006,
"country": "CH"
},
"timestamp": "2015-08-23"
}
使用此配置,我得到大多数文档都在elasticsearch中编入索引,但是(如果经度或纬度为" null"寄存器未编入索引。所以,例如,这条记录:
...
filter {
json {
source => "message"
}
mutate {
rename => [ "location", "newlocation" ]
}
if [newlocation][latitude] and [newlocation][longitude] {
mutate {
add_field => { "location" => "%{[newlocation][latitude]},%{[newlocation][longitude]}" }
}
}
}
..
不会在ES中编入索引。我的问题是,如何索引ES中的所有寄存器,并为纬度和经度不同的那些寄存器创建一个新字段。
我尝试过这样的事情:
{{1}}
但没有工作,有什么想法吗?
答案 0 :(得分:0)
您的配置适用于此测试工具:
input {
stdin { }
}
filter {
json {
source => "message"
}
mutate {
rename => [ "location", "newlocation" ]
}
if [newlocation][latitude] and [newlocation][longitude] {
mutate {
add_field => { "location" => "%{[newlocation][latitude]},%{[newlocation][longitude]}" }
}
}
}
output {
stdout {
codec => rubydebug
}
}