问题
I need to put a TTL with each of the logs exported from logstash.
I have already created a folder 'mappings' under the config folder, under which I have a folder _default, under which I have the json file default.json, which has:
{
"_default_" : {
"_ttl" : { "enabled" : true, "default" : "10s" }
}
}
I am exporting my logs to elastic server with logstash. THe config file is:
input {
stdin {
type => "stdin-type"
}
}
filter {
grok {
type => "stdin-type"
pattern => "I am %{USERNAME:username}"
add_tag=>"{username}"
}
}
output {
stdout { debug => true debug_format => "json"}
elasticsearch
{
}
}
I should expect that the logs get deleted from ELastic Search after 10 seconds, but that is not the case. The logs persist. Where am I going wrong? I am totally stuck.
Need help.
回答1:
Fine guys, got it to work. Simply had to change
MESSAGE %{DATA}ERR_SYSTEM%{DATA}
to
MESSAGE %{DATA}ERR_SYSTEM.*
回答2:
use templates:
{
"template_1" :
{
"template" : "logstash-*",
"settings" : {
"number_of_shards" : 5,
"number_of_replicas" : 1,
"index.cache.field.type" : "soft",
"index.refresh_interval" : "5s",
"index.store.compress.stored" : true,
"index" : {
"store" : { "compress" : { "stored" : true }}
}
},
"mappings" : {
"nginxlog" : {
"_ttl" : {"enabled" : true, "default" : "1m"},
"properties" : {
"@timestamp": { "type": "date", "format" : "dateOptionalTime"}
}
}
}
}
}
set 1 minute,automatically delete a minute later
来源:https://stackoverflow.com/questions/16516353/ttl-elastic-search-not-working