新建mapping
新建索引: PUT logstash-redis-log-2017.12
PUT logstash-redis-log-2017.12/_mapping/redis-log { "properties" : { "@timestamp" : { "type" : "date" }, "@version" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "Query" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "Rt" : { "type" : "long" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "dest_ip" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "dest_port" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "kafka" : { "properties" : { "consumer_group" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "offset" : { "type" : "long" }, "partition" : { "type" : "long" }, "topic" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } } } }, "message" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "request_len" : { "type" : "long" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "request_ts" : { "type" : "long" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "response_len" : { "type" : "long" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "souce_ip" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } } } } |
新建索引: PUT logstash-iis-log-2017.12
PUT logstash-iis-log-2017.12/_mapping/iis-log { "properties" : { "@timestamp" : { "type" : "date" }, "@version" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "c-ip" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "cs" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "cs-bytes" : { "type" : "long" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "cs-host" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "cs-method" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "cs-uri-query" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "cs-uri-stem" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "kafka" : { "properties" : { "consumer_group" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "offset" : { "type" : "long" }, "partition" : { "type" : "long" }, "topic" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } } } }, "message" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "s-ip" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "s-port" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "sc-bytes" : { "type" : "long" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "sc-status" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "sc-substatus" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "sc-win32-status" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "tags" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "time-taken" : { "type" : "long" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "timestamp" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } }, "type" : { "type" : "text" , "fields" : { "keyword" : { "type" : "keyword" , "ignore_above" : 256 } } } } } |
新建template
iis字段全选:
elasticsearch-template.json
PUT _template/f5-request