如何在logstash whith标签中创建多索引

时间:2018-01-15 22:58:22

标签: logstash logstash-configuration

我有2个目录,我希望每个目录在elasticsearch中都是不同的索引,这是.conf文件     

input {
  stdin { type => "stdin-type"}
    file{
       path => "/home/falcoroot/development/falco/Jsons/**/*.json"
       add_tag => ["post"]
       start_position => "beginning"
       sincedb_path => "/dev/null"
       ignore_older => 0
    }
    file{
       path => "/home/falcoroot/development/falco/Clasificados/**/*.json"
       add_tag => ["class"]
       start_position => "beginning"
       sincedb_path => "/dev/null"
       ignore_older => 0
    }
}
output {
    stdout {
            codec=>dots
    }
    if "post" in [tags]{
            elasticsearch {
                    hosts => "localhost"
                    index => "facebook"
                    document_type => "posts"
                    document_id => "%{id}"
            }
    }
    if "class" in [tags]{
            elasticsearch {
                    hosts => "localhost"
                    index => "clasificados"
                    document_type => "posts"
                    document_id => "%{id}"
            }
    }

如果有人知道我做错了什么告诉我,或者告诉我创建不同索引whit logstash的正确方法

1 个答案:

答案 0 :(得分:0)

首先,最后有一个花括号丢失,但我想这只是一个副本问题。而不是使用标签,为什么不使用类似下面的类型......同样,最好在索引名称中添加类似日期的变量部分。

另一件事:在elasticsearch中考虑"索引"作为数据库和"类型"就像一张桌子。也许你想使用相同的索引,但使用不同的类型?

此配置对我有用:

input {
  stdin { type => "stdin-type"}
  file{
     path => "/home/falcoroot/development/falco/Jsons/**/*.json"
     type => "facebook"
     start_position => "beginning"
     sincedb_path => "/dev/null"
     ignore_older => 0
 }
 file{
     path => "/home/falcoroot/development/falco/Clasificados/**/*.json"
     type => "clasificados"
     start_position => "beginning"
     sincedb_path => "/dev/null"
     ignore_older => 0
 }
}
output {
  stdout {
        codec=>dots
  }
  if [type] in ["clasificados", "facebook"] {
     elasticsearch {
         hosts => ["localhost:9200"]
         index => "%{type}_%{+YYYY.MM.dd}"
         document_type => "posts"
         document_id => "%{id}"
     }
  }
}