logstash的输入是
input {
file {
path => "/tmp/very-large.json"
type => "json"
start_position => "beginning"
sincedb_path => "/dev/null"
}
和示例json文件
{"type":"type1", "msg":"..."}
{"type":"type2", "msg":"..."}
{"type":"type1", "msg":"..."}
{"type":"type3", "msg":"..."}
是否可以将它们输入到不同的弹性搜索索引中,以便将来更容易处理它们?
我知道是否可以使用tag
分配它们,然后我可以执行类似
if "type1" in [tags] {
elasticsearch {
hosts => ["localhost:9200"]
action => "index"
index => "logstash-type1%{+YYYY.MM.dd}"
flush_size => 50
}
}
如何通过查看特定的json字段值来执行类似的操作,例如:我上面的例子中是type
?
答案 0 :(得分:1)
更简单,只需使用type
字段来构建索引名称,如下所示:
elasticsearch {
hosts => ["localhost:9200"]
action => "index"
index => "logstash-%{type}%{+YYYY.MM.dd}"
flush_size => 50
}