怎么又是你

kibana上看到的字段都是字符串,如何针对性的修改为数值型

Kibana | 作者 benny | 发布于2017年10月23日 | 阅读数:8749
分享到:QQ空间新浪微博微信QQ好友印象笔记有道云笔记
请教大家,由logstash吐到elasticsearch,然后通过kibana查看对应信息。计划生成基于某字段平均数的曲线图,但发现分解的所有字段都是字符串,如何调整。谢谢

其中logstash的配置:
input {
    redis {
            host => "172.23.11.100"
            port => 6379
                key => "filebeat"
                type => "filebeat"
                data_type => "list"
        }
}

filter {
    if [type] == "monitor_access_log" {
      grok {
        match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}\|%{LOGLEVEL:level}\|%{WORD:filename}\|%{WORD:method}\|%{URIPATHPARAM:request}\|(?:HTTP/%{NUMBER:http_version})\|%{IP:client}\|%{INT:http_status_code}\|%{NUMBER:duration}\|(?<reserve1>([\s\S]*))\|(?<reserve2>([\s\S]*))\|(?<reserve3>([\s\S]*))"
            }
        }
    }
}

output {
        if [type] == "monitor_access_log" {
                elasticsearch {
                        hosts => ["172.23.11.136:9200","172.23.11.137:9200","172.23.11.138:9200"]
                        index => "omp-monitor-access-%{+YYYY.MM.dd}"
                }
                stdout {
                                        codec => rubydebug
                }
        }
}
ELK问题.png
2017-10-23 添加评论

没有找到相关结果

    已邀请:

    strglee

    赞同来自:

    output 可以配置template来设置mapping

    
output {
    
        if [type] == "monitor_access_log" {
    
            elasticsearch {
    
                hosts => ["172.23.11.136:9200","172.23.11.137:9200","172.23.11.138:9200"]
    
                index => "omp-monitor-access-%{+YYYY.MM.dd}"
    
                template_overwrite => true
    
                template => "/etc/logstash/template/lomonitor_access_log.json"
    
            }
    
            stdout {
    
                codec => rubydebug
    
            }
    
        }
    
}

    lomonitor_access_log.json内容像这样:
    {
    
    "template": "omp-monitor-access-*",
    
    "mappings": {
    
        "_default_": {
    
            "properties": {
    
                "@timestamp": {
    
                    "type": "date",
    
                    "include_in_all": false
    
                },
    
                "@version": {
    
                    "type": "keyword",
    
                    "include_in_all": false
    
                },
    
                "duration": {
    
                    "type": "float",
    
                    "index": "not_analyzed"
    
                }
    
            }
    
        }
    
    }
    
}
    2017-10-23 0 2
    分享

    Loading Zhang

    赞同来自:

    需要在template中定义字段类型
    2017-10-24 0 0
    分享

    Chip

    赞同来自:

    不可以在logstash中用mutate转换类型吗?
    2017-11-23 0 0
    分享

    lunatictwo

    赞同来自:

    mutate转换类型就可以,just like this:
    filter {
    
    mutate {
    
        convert => ["request_time", "float"]
    
    }
    
}
    2017-11-23 0 0
    分享
    为什么被折叠? 0 个回复被折叠

    要回复问题请先登录注册

    Copyright © 2024 · CC BY-NC-SA 3.0

    本站服务器及带宽由 提供赞助