采集nginx日志的时候发现从filebeat采集的json日志到elasticsearch里面都是keyword类型,导致我模糊查询部分字段的时候无法模糊匹配,所以需要将某些字段改成text类型。
filebeat.inputs: - type: log enabled: true json.keys_under_root: true json.overwrite_keys: true paths: - "/x/*.log" tags: ["php-nginx-access"] output.elasticsearch: hosts: ["10.8.44.5:9200"] username: "xxx" password: "xxx" indices: - index: "php-nginx-access-%{[agent.version]}-%{+yyyy.MM}" when.contains: tags: "php-nginx-access" setup.template.name: "php-nginx-access" setup.template.pattern: "php-nginx-access-*" setup.template.fields: "myfields.yml" setup.template.overwrite: true setup.template.enabled: true setup.ilm.enabled: false
关键的地方就是修改了fields.yml。
- key: php-nginx-access title: php description: > php access log fields: - name: request type: text ignore_above: 1024 - name: ‘@timestamp‘ level: core required: true type: date description: ‘Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.‘ example: ‘2016-05-23T08:05:34.853Z‘