【发布时间】:2021-04-19 13:57:09
【问题描述】:
这里是目标 Elasticsearch 索引的映射:
"mappings": {
"_doc": {
"properties": {
"start_time": {
"format": "epoch_millis",
"type": "date"
},
"channel": {
"type": "keyword"
},
"end_time": {
"format": "epoch_millis",
"type": "date"
},
"range_time": {
"format": "epoch_millis",
"type": "date_range"
}
}
}
}
这是我相关的logstash配置文件:
filter {
mutate {
split => ["message", "|"]
add_field => {
"start_time" => "%{[message][1]}"
"end_time" => "%{[message][2]}"
"channel" => "%{[message][5]}"
**"range_time" => [
"%{[message][1]}",
"%{[message][2]}"
]**
}
remove_field => "message"
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => [ "localhost" ]
index => "test_live"
}
}
我的问题是如何编写“range_time”=> 部分 ([mutate][add_field][range_time]) 以将 date_range 类型的数据发送到 ES。 在控制台中,我得到了这样的输出:
{
"@timestamp" => 2021-04-19T01:46:40.617Z,
"start_time" => "20210401001401",
"end_time" => "20210401001408",
"range_time" => [
[0] "20210401001401",
[1] "20210401001408"
],
"host" => "localhost.localdomain",
"channel" => "SCTV-2",
"path" => "/**/",
"@version" => "1"
}
但输出无法正确写入数据到索引。 我怎么能这样做?
【问题讨论】: