我在一个索引中有完整的数据库,需要每天创建或获取3天的记录并以CSV格式存储。目标是每天需要3天的回溯记录并存储在CSV文件中。如何仅使用logstash.config将“从当前日期开始”设置为“过去3天”?
input {
elasticsearch {
hosts => "**Endpoint URL**"
index => "**Index NAME**"
user => "***"
password => "***"
query => '{ "query": { "query_string": { "query": "*" } } }'
}
}
filter {
csv {
separator => ","
autodetect_column_names => true
autogenerate_column_names => true
}
}
output {
stdout {
codec => json_lines
}
csv {
fields => []
path => "C:/ELK_csv/**cvs_File_Name**.csv"
}
}
需要添加日期过滤范围
{"query":{"bool":{"must":[{"range":{"createddate":{"gte":"","lt":""}}}],"must_not":[],"should":[]}},"from":0,"size":5000,"sort":[],"aggs":{}}
从当前日期开始,直到最后三天。
答案 0 :(得分:0)
工作Logstash.config文件代码
input {
elasticsearch {
hosts => "**ELK ENDPOINT URL**"
index => "**INDEX NAME**"
user => "***"
password => "***"
query => '{ "query":{"bool":{"must":[{"range":{"createddate":{"gt":"now-3d/d","lte":"now/d"}}}],"must_not":[],"should":[]}},"from":0,"size":10000,"sort":[],"aggs":{} }'
}
}
filter {
csv {
separator => ","
autodetect_column_names => true
autogenerate_column_names => true
}
}
output {
stdout {
codec => json_lines
}
csv {
fields => [**FIELDS NAMES**]
path => "C:/ELK6.4.2/logstash-6.4.2/bin/tmp/**CSV_3days**.csv"
}
}