7
ELK-学习笔记–elasticsearch的mapping |坐而言不如起而行! 二丫讲梵
source link: http://www.eryajf.net/5129.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
ELK-学习笔记–elasticsearch的mapping |坐而言不如起而行! 二丫讲梵
本文预计阅读时间 14 分钟
以往采集日志都是比较简单的操作,没有过多深入es的mapping等内容,不过有时候技能都是基于需求驱动的。
现有日志内容如下:
{"sign":"test-log","@timestamp":"2020-07-05T17:43:12+08:00","type":"filter","sale_id":2084090132,"sale_uri":"2003261352dvxv50","shop_id":47516579,"shop_uri":"1910201845lawpvt","cat_id":4,"sec_cat_id":4001,"rule":"startprice","description":"拍品起拍价\u003e0","score":0,"arguments":"{\"startPrice\":2600}"}
因为后期会对日志中一些内容进行聚合计算,因此要求日志中score字段写入之后是float类型,但是如果什么都不指定,那么默认写入之后,会分配一个其他的类型。
两种解决方式。
第一:创建索引的时候指定mapping
PUT test-index{"mappings" : {"properties" : {"score" : {"type" : "float"}}}}
返回结果:
{"acknowledged" : true,"shards_acknowledged" : true,"index" : "test-indexa"}
查看索引mapping:
GET test-index/_mapping
{"test-index" : {"mappings" : {"properties" : {"score" : {"type" : "float"}}}}}
这样写进来之后对应的 score字段就是float类型了。
但是这样有一个问题,因为刚刚是指定了单个索引的mapping,正常情况下,我们的日志索引都会按天来存,那么新的索引就无法自动进行对照了。接下来要引入索引模板的配置定义。
PUT _template/template_test{"index_patterns": ["test*"],"order" : 1,"settings" : {"number_of_shards": 1,"number_of_replicas" : 2},"mappings" : {"properties" : {"score" : {"type" : "float"}}}}
创建一个索引模板,只要是以test开头的索引,那么创建索引并写入进来之后,对应的score字段就应该是float类型了。
GET test-index-2020-03-30/_mapping{"test-index-2020-03-30" : {"mappings" : {"properties" : {"@timestamp" : {"type" : "date"},"@version" : {"type" : "text","fields" : {"keyword" : {"type" : "keyword","ignore_above" : 256}}},"arguments" : {"type" : "text","fields" : {"keyword" : {"type" : "keyword","ignore_above" : 256}}},"batch" : {"type" : "text","fields" : {"keyword" : {"type" : "keyword","ignore_above" : 256}}},"cat_id" : {"type" : "long"},"description" : {"type" : "text","fields" : {"keyword" : {"type" : "keyword","ignore_above" : 256}}},"host" : {"type" : "text","fields" : {"keyword" : {"type" : "keyword","ignore_above" : 256}}},"path" : {"type" : "text","fields" : {"keyword" : {"type" : "keyword","ignore_above" : 256}}},"rule" : {"type" : "text","fields" : {"keyword" : {"type" : "keyword","ignore_above" : 256}}},"sale_id" : {"type" : "long"},"sale_uri" : {"type" : "text","fields" : {"keyword" : {"type" : "keyword","ignore_above" : 256}}},"score" : {"type" : "float"},"sec_cat_id" : {"type" : "long"},"shop_id" : {"type" : "long"},"shop_uri" : {"type" : "text","fields" : {"keyword" : {"type" : "keyword","ignore_above" : 256}}},"sign" : {"type" : "text","fields" : {"keyword" : {"type" : "keyword","ignore_above" : 256}}},"type" : {"type" : "text","fields" : {"keyword" : {"type" : "keyword","ignore_above" : 256}}}}}}}
2,logstash处理。
还有一种相对简便的方案是在lgostash层面来做,让日志在从logstash转过来的时候,指定某些字段的类型,配置如下:
input {kafka {bootstrap_servers => "192.168.0.1:9092"group_id => "test-index"consumer_threads => 6topics => ["test-index"]client_id => "test-index"codec => "json"check_crcs => "false"}}filter {mutate {convert => {"score" => "float"}}}output {elasticsearch {hosts => ["http://192.168.0.2:9208"]index => "test-index-%{+YYYY-MM-dd-HH}"}}
实际生产中,也会利用这一功能,对NGINX的access日志进行一些特殊处理:
input {kafka {bootstrap_servers => "192.168.0.1:9092"group_id => "nginx_access"consumer_threads => 6topics => "nginx_access"codec => "json"}}filter {mutate {split => ["request_uri" , "?"]add_field => {"uri_path" => "%{request_uri[0]}""uri_query" => "%{request_uri[1]}"}remove_field => ["request_uri"]convert => {"response" => "integer""body_bytes_sent" => "integer""request_time" => "float""upstream_response_time" => "float"}}}output {elasticsearch {hosts => ["http://192.168.0.2:9208"]index => "nginx_access-%{+YYYY.MM.dd}-1"}}
以针对日志当中一些特殊字段进行相应处理。
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK