我有2个目录,我希望每个目录在elasticsearch中都是不同的索引,这是.conf文件
input {
stdin { type => "stdin-type"}
file{
path => "/home/falcoroot/development/falco/Jsons/**/*.json"
add_tag => ["post"]
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
file{
path => "/home/falcoroot/development/falco/Clasificados/**/*.json"
add_tag => ["class"]
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
}
output {
stdout {
codec=>dots
}
if "post" in [tags]{
elasticsearch {
hosts => "localhost"
index => "facebook"
document_type => "posts"
document_id => "%{id}"
}
}
if "class" in [tags]{
elasticsearch {
hosts => "localhost"
index => "clasificados"
document_type => "posts"
document_id => "%{id}"
}
}
如果有人知道我做错了什么告诉我,或者告诉我创建不同索引whit logstash的正确方法
答案 0 :(得分:0)
首先,最后有一个花括号丢失,但我想这只是一个副本问题。而不是使用标签,为什么不使用类似下面的类型......同样,最好在索引名称中添加类似日期的变量部分。
另一件事:在elasticsearch中考虑"索引"作为数据库和"类型"就像一张桌子。也许你想使用相同的索引,但使用不同的类型?
此配置对我有用:
input {
stdin { type => "stdin-type"}
file{
path => "/home/falcoroot/development/falco/Jsons/**/*.json"
type => "facebook"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
file{
path => "/home/falcoroot/development/falco/Clasificados/**/*.json"
type => "clasificados"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
}
output {
stdout {
codec=>dots
}
if [type] in ["clasificados", "facebook"] {
elasticsearch {
hosts => ["localhost:9200"]
index => "%{type}_%{+YYYY.MM.dd}"
document_type => "posts"
document_id => "%{id}"
}
}
}