The requested URL was not found on this server. 不管你信不信,反正我是没找到

kibana上看到的字段都是字符串,如何针对性的修改为数值型

Kibana | 作者 benny | 发布于2017年10月23日 | 阅读数:8762

请教大家,由logstash吐到elasticsearch,然后通过kibana查看对应信息。计划生成基于某字段平均数的曲线图,但发现分解的所有字段都是字符串,如何调整。谢谢

其中logstash的配置:
input {
    redis {
            host => "172.23.11.100"
            port => 6379
                key => "filebeat"
                type => "filebeat"
                data_type => "list"
        }
}

filter {
    if [type] == "monitor_access_log" {
      grok {
        match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}\|%{LOGLEVEL:level}\|%{WORD:filename}\|%{WORD:method}\|%{URIPATHPARAM:request}\|(?:HTTP/%{NUMBER:http_version})\|%{IP:client}\|%{INT:http_status_code}\|%{NUMBER:duration}\|(?<reserve1>([\s\S]*))\|(?<reserve2>([\s\S]*))\|(?<reserve3>([\s\S]*))"
            }
        }
    }
}

output {
        if [type] == "monitor_access_log" {
                elasticsearch {
                        hosts => ["172.23.11.136:9200","172.23.11.137:9200","172.23.11.138:9200"]
                        index => "omp-monitor-access-%{+YYYY.MM.dd}"
                }
                stdout {
                                        codec => rubydebug
                }
        }
}
ELK问题.png
已邀请:

strglee

赞同来自:

output 可以配置template来设置mapping

output {
if [type] == "monitor_access_log" {
elasticsearch {
hosts => ["172.23.11.136:9200","172.23.11.137:9200","172.23.11.138:9200"]
index => "omp-monitor-access-%{+YYYY.MM.dd}"
template_overwrite => true
template => "/etc/logstash/template/lomonitor_access_log.json"
}
stdout {
codec => rubydebug
}
}
}

lomonitor_access_log.json内容像这样:
{
"template": "omp-monitor-access-*",
"mappings": {
"_default_": {
"properties": {
"@timestamp": {
"type": "date",
"include_in_all": false
},
"@version": {
"type": "keyword",
"include_in_all": false
},
"duration": {
"type": "float",
"index": "not_analyzed"
}
}
}
}
}

Loading Zhang

赞同来自:

需要在template中定义字段类型

Chip

赞同来自:

不可以在logstash中用mutate转换类型吗?

lunatictwo

赞同来自:

mutate转换类型就可以,just like this:
filter {
mutate {
convert => ["request_time", "float"]
}
}

要回复问题请先登录注册