如何将大型json文件输入拆分为不同的弹性搜索索引?

时间:2016-08-12 12:29:46

标签: elasticsearch logstash logstash-configuration

logstash的输入是

input {
    file {
        path => "/tmp/very-large.json"
        type => "json"
        start_position => "beginning"
        sincedb_path => "/dev/null"
    }

和示例json文件

{"type":"type1", "msg":"..."}
{"type":"type2", "msg":"..."}
{"type":"type1", "msg":"..."}
{"type":"type3", "msg":"..."}

是否可以将它们输入到不同的弹性搜索索引中,以便将来更容易处理它们?

我知道是否可以使用tag分配它们,然后我可以执行类似

的操作
if "type1" in [tags] {
    elasticsearch {
        hosts => ["localhost:9200"]
        action => "index"
        index => "logstash-type1%{+YYYY.MM.dd}"
        flush_size => 50
    }
}

如何通过查看特定的json字段值来执行类似的操作,例如:我上面的例子中是type

1 个答案:

答案 0 :(得分:1)

更简单,只需使用type字段来构建索引名称,如下所示:

elasticsearch {
    hosts => ["localhost:9200"]
    action => "index"
    index => "logstash-%{type}%{+YYYY.MM.dd}"
    flush_size => 50
}