ELK自定义字段 mapping
在索引的位置处有一句很明显的英文:This page lists every field in the logstash-* index and the field's associated core type as recorded by Elasticsearch. While this list allows you to view the core type of each field, changing field types must be done using Elasticsearch's Mapping API
如果你想要自定义自己的字段如: 日志的referrer、domainname、remote_addr request、status 这些web的访问日志基本的字段!
你要使用elasticsearch的mapping API
参考:
http://es.xiaoleilu.com/052_Mapping_Analysis/25_Data_type_differences.html
查看映射的命令:
curl -XGET 192.168.100.10:9200/logstash-2016.05.15/_mapping/syslog?pretty
logstash-2016.05.15 是index的名字
syslog是type的名字
第一查看默认的映射:
{
"logstash-2016.05.15" : {
"mappings" : {
"syslog" : {
"_all" : {
"enabled" : true,
"omit_norms" : true
},
"dynamic_templates" : [ {
"message_field" : {
"mapping" : {
"index" : "analyzed",
"omit_norms" : true,
"fielddata" : {
"format" : "disabled"
},
"type" : "string"
},
"match" : "message",
"match_mapping_type" : "string"
}
}, {
"string_fields" : {
"mapping" : {
"index" : "analyzed",
"omit_norms" : true,
"fielddata" : {
"format" : "disabled"
},
"type" : "string",
"fields" : {
"raw" : {
"index" : "not_analyzed",
"ignore_above" : 256,
"doc_values" : true,
"type" : "string"
}
}
},
"match" : "*",
"match_mapping_type" : "string"
}
}, {
"float_fields" : {
"mapping" : {
"doc_values" : true,
"type" : "float"
},
"match" : "*",
"match_mapping_type" : "float"
}
}, {
"double_fields" : {
"mapping" : {
"doc_values" : true,
"type" : "double"
},
"match" : "*",
"match_mapping_type" : "double"
}
}, {
"byte_fields" : {
"mapping" : {
"doc_values" : true,
"type" : "byte"
},
"match" : "*",
"match_mapping_type" : "byte"
}
}, {
"short_fields" : {
"mapping" : {
"doc_values" : true,
"type" : "short"
},
"match" : "*",
"match_mapping_type" : "short"
}
}, {
"integer_fields" : {
"mapping" : {
"doc_values" : true,
"type" : "integer"
},
"match" : "*",
"match_mapping_type" : "integer"
}
}, {
"long_fields" : {
"mapping" : {
"doc_values" : true,
"type" : "long"
},
"match" : "*",
"match_mapping_type" : "long"
}
}, {
"date_fields" : {
"mapping" : {
"doc_values" : true,
"type" : "date"
},
"match" : "*",
"match_mapping_type" : "date"
}
}, {
"geo_point_fields" : {
"mapping" : {
"doc_values" : true,
"type" : "geo_point"
},
"match" : "*",
"match_mapping_type" : "geo_point"
}
} ],
"properties" : {
"@timestamp" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis"
},
"@version" : {
"type" : "string",
"index" : "not_analyzed"
},
"file" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fielddata" : {
"format" : "disabled"
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
},
"geoip" : {
"dynamic" : "true",
"properties" : {
"ip" : {
"type" : "ip"
},
"latitude" : {
"type" : "float"
},
"location" : {
"type" : "geo_point"
},
"longitude" : {
"type" : "float"
}
}
},
"host" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fielddata" : {
"format" : "disabled"
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
},
"message" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fielddata" : {
"format" : "disabled"
}
},
"offset" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fielddata" : {
"format" : "disabled"
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
},
"path" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fielddata" : {
"format" : "disabled"
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
},
"type" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fielddata" : {
"format" : "disabled"
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
}
}
}
}
}
}
页:
[1]