实践logstash配置ik分词

logstash-ik.json

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71

{ "order" : 99, "version" : 1, "index_patterns" : [ "*" ], "settings" : { "index" : { "number_of_shards" : "1", "refresh_interval" : "5s" } }, "mappings" : { "dynamic_templates" : [ { "message_field" : { "path_match" : "message", "mapping" : { "norms" : false, "type" : "text" }, "match_mapping_type" : "string" } }, { "string_fields" : { "mapping" : { "norms" : false, "type" : "text", "analyzer": "ik_max_word", "search_analyzer": "ik_smart", "fields" : { "keyword" : { "ignore_above" : 256, "type" : "keyword" } } }, "match_mapping_type" : "string", "match" : "*" } } ], "properties" : { "@timestamp" : { "type" : "date" }, "geoip" : { "dynamic" : true, "properties" : { "ip" : { "type" : "ip" }, "latitude" : { "type" : "half_float" }, "location" : { "type" : "geo_point" }, "longitude" : { "type" : "half_float" } } }, "@version" : { "type" : "keyword" } } }, "aliases" : { } }

logstash.conf

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

output { elasticsearch { hosts => ["http://localhost:9200"] index => "dev-log-%{+YYYY.MM}" # 定义模板名称 template_name => "myik" # 模板所在位置 template => "/app/logstash-7.7.1/sync/logstash-ik.json" # 重写模板 template_overwrite => true # 默认为 true，false 关闭 logstash 自动管理模板的功能，如果自定义模板，则设置为 false #manage_template => false #user => "elastic" #password => "changeme" } }