为什么logstash中的elasticsearch插件会忽略聚合

时间:2017-08-29 10:47:35

标签: elasticsearch logstash

我创建了一些curl命令,它只给出了汇总数据:

curl -k 'https://localhost:9200/logstash-*/_search' -d '{

   "size": 0,
   "aggs": {
    "2": {
      "date_histogram": {
        "field": "@timestamp",
        "interval": "1d",
        "time_zone": "Europe/Berlin",
        "min_doc_count": 1
      }
    }
   },
     "query": {
       "bool": {
        "must": [
        {
          "query_string": {
            "query": "type:app AND tags:app",
            "analyze_wildcard": true
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": 1501538400000,
              "lte": 1504216799999,
              "format": "epoch_millis"
            }
          }
        }
      ]
    }
  }
}

}'

现在我将它重写为elasticsearch输入插件并将输出保存到文件:

input {
  elasticsearch {
    hosts => "localhost"
    query => '{
   "size": 0,
   "aggs": {
    "2": {
      "date_histogram": {
        "field": "@timestamp",
        "interval": "1d",
        "time_zone": "Europe/Berlin",
        "min_doc_count": 1
      }
    }
   },
     "query": {
       "bool": {
        "must": [
        {
          "query_string": {
            "query": "type:app AND tags:app",
            "analyze_wildcard": true
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": 1501538400000,
              "lte": 1504216799999,
              "format": "epoch_millis"
            }
          }
        }
      ]
    }
  }
}
}'
    docinfo => true
  }
}

output {

      file {
        path => "/data/logstash/parsefailure/test-%{+YYYY-MM-dd}.txt"
      }
}

但是在文件中我可以看到整个json消息不仅仅是聚合数据。为什么?

0 个答案:

没有答案
相关问题
最新问题