Logstash传输给ES的数据会自动映射为5索引,5备份,字段都为text的的索引。这样基本上无法进行数据分析。
所以必须将Logstash的数据按照既定的格式存储在ES中,这时候就要使用到ES模板技术了。在ES中可以定义自定义模板和动态模板,之后es会自动将相关索引映射为模板规定的格式
编译动态映射模板文件bigdata.template:
在Json日志文件中的KEY的位置不固定、或字段数不明确时使用动态映射模板
{ "template": "bigdata-template", "settings": { "index.number_of_shards": 5, "number_of_replicas": 1 }, "mappings": { "_default_": { "_all": { "enabled": true, "omit_norms": true }, "dynamic_templates": [{ "message_field": { "match": "message", "match_mapping_type": "string", "mapping": { "type": "string", "index": "analyzed", "omit_norms": true, "fielddata": { "format": "disabled" } } } }, { "string_fields": { "match": "*", "match_mapping_type": "string", "mapping": { "type": "string", "index": "not_analyzed", "doc_values": true } } }], "properties": { "@timestamp": { "type": "date" }, "@version": { "type": "string", "index": "not_analyzed" } } } } }
dynamic_templates 就是配置具体的动态模板匹配项
"match_mapping_type": "string" 是匹配固定的类型
"match": "time" 匹配字段名为time的数据
"unmatch": "data" 不匹配字段名为data的数据
mapping 就是将匹配的数据项映射为定义的数据类型
Logstash配置文件 nginx.conf:
input { file { path => "/usr/local/openresty/nginx/logs/user2.log" type => "nginx-bigdata" codec => "json" } } filter { json { source => "u_data" } } output { if [type] == "nginx-bigdata" { elasticsearch { hosts => ["172.17.213.60:9200", "172.17.213.61:9200"] index => "nginx-bigdata" manage_template => false template_overwrite => true template_name => "bigdata-template" template => "/usr/local/logstash-6.2.4/bigdata.template" document_type => "nginx-bigdata" } } }
Nginx的配置文件中关于JSON日志格式转换的配置:(此处我只保留了需要的一个字段范围)
escape=json :nginx 1.11.8版本后才提供此参数
log_format userlog escape=json '{"u_data":"$u_data","@timestamp":"$time_iso8601"}';
...
access_log logs/user.log userlog;
产生的日志格式:
{"u_data":"{"appid":"nchaopai","args":{"contentId":0,"duration":111811,"parentId":0,"totaltime":0,"type":0},"bk":"-","cp_ver":"3.0.5","duid":"2cba98f8ddc18464","e":"nchaopai.main.stay-duration","os":"A","ts":1572584611,"ver":"8.11.11"}"}
之后在Kibana里看到就是这样的:
常用格式如下:
log_format log_json escape=json '{"timestamp": "$time_local",' '"remote_addr": "$remote_addr",' '"referer": "$http_referer",' '"request": "$request",' '"statu": "$status",' '"byte": "$body_bytes_sent",' '"agen": "$http_user_agent",' '"x_forwarded": "$http_x_forwarded_for",' '"up_resp_time": "$upstream_response_time",' '"request_time": "$request_time"}';
参考资料:https://doc.yonyoucloud.com/doc/logstash-best-practice-cn/filter/json.html