我在 elasticsearch 1.7 中创建了一个索引,如下所示:
curl -XPUT 'http://localhost:9200/test' -d '
{
"test" : {
"properties" : {
"user" : {"type" : "string", "index" : "not_analyzed"},
"message" : {"type" : "string", "null_value" : "na"},
"syslogtimestamp" : {"type" : "date"},
"transact" : {"type" : "integer"},
"subscriber" : {"type" : "integer"},
"pid" : {"type" : "integer"},
"acquirertime" : {"type" : "float"}
}
}
}
'
我正在用来自 logstash 的数据填充它,如下所示:
filter {
if [type] == "test" {
grok {
match => { "message" => "%{TEST}" }
}
geoip {
source => "clientip"
target => "geoip"
database => "/etc/logstash/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
}
Pattern:
TEST %{MONTH:month} (?:(\s+|)) %{INT:day} %{TIME:time} (?<hostname>[a-z0-9_-]+) (?<application>[a-zA-Z0-9-_]+\.(cgi|pml|pfml)):(?:\s+)\[(?:(\s+|))%{INT:pid}\] %{IPORHOST:clientip} (?:\s+\()(?<acquirer>[a-zA-Z0-9_-]+)(?:(\s|))\) (?<event>[a-zA-Z0-9]+)(?:\s+)id=%{INT:transact}(?:\s+)sub=%{INT:subscriber}
因此,我尝试将字段“transact”映射到 elasticsearch 中作为整数。但是,当我在 Kibana 4 中查找字段时,我的所有字段都是“字符串”类型。这是怎么回事?
答案1
您应该在这里查看 ES 索引模板:https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html
您可以让 logstash 传递它们,或者通过 curl 或 config 将它们直接提供给 elasticsearch。