默认调用的索引模板会对字段自动分词,不便于数据分析。

通过curl往elsticsearch里PUT syslog-* 索引模板。


# curl  -XPUT http://192.168.0.100:9200/_template/template_syslog -d '

{
  "order": 0,
  "template""syslog-*",
  "settings": {
    "index": {
      "refresh_interval""5s"
    }
  },
  "mappings": {
    "_default_": {
      "dynamic_templates": [
        {
          "string_fields": {
            "mapping": {
              "index""analyzed",
              "omit_norms"true,
              "type""string",
              "fields": {
                "raw": {
                  "ignore_above": 256,
                  "index""not_analyzed",
                  "type""string",
                  "doc_values"true
                }
              }
            },
            "match_mapping_type""string",
            "match""*"
          }
        }
      ],
      "_all": {
        "enabled"true
      },
      "properties": {
        "@timestamp": {
          "format""dateOptionalTime",
          "index""not_analyzed",
          "type""date",
          "doc_values"true
        },
        "geoip": {
          "dynamic"true,
          "type""object",
          "properties": {
            "location": {
              "type""geo_point"
            }
          }
        },
        "@version": {
          "index""not_analyzed",
          "type""string"
        }
      }
    }
  },
  "aliases": {}
}’


注:"type": "date", "index": "not_analyzed"       #索引不分词

 

在logash配置文件里就可以创建syslog-开头的索引。Elsticsearch会自动匹配syslog-*索引模板。

output {
        stdout { codec => rubydebug }
        elasticsearch {
                host => "192.168.0.100:9200"       
                index => "syslog-%{+YYYY.MM.dd}"
        }
}