当使用Logstash和Elasticsearch输出时，.raw字段来自哪里？ [英] Where do .raw fields come from when using Logstash with Elasticsearch output?

问题描述

当一起使用Logstash和Elasticsearch时，为分析的字段追加 .raw 的字段，这样当使用Kibana这样的工具查询Elasticsearch时，可以使用字段的值原来没有每个字的分割，没有。

我建立了一个新的安装的ELK堆栈与最新的最伟大的版本的一切，并注意到我的 .raw 字段不再像旧版本的堆栈一样被创建。有很多发布在弹性搜索上创建模板的解决方案，但是我没有能够找到很多信息到为什么这修复了事情。为了更好地了解更广泛的问题，请问这个具体问题：

.raw字段来自哪里？

我假设Logstash在插入文档时将字符串分析和字符串原样填充到Elasticsearch，但考虑到修复在Elasticsearch模板中的事实，我是否怀疑或者不是我的假设是正确的。

解决方案

您假设 .raw 字段是Logstash创建的默认索引模板中包含的字符串字段的动态模板的结果IF manage_template：true （默认情况下是这样）。

Logstash创建的默认模板（从2.1开始）可以看出这里。如第26行所示，所有字符串字段（消息除外）都有一个 not_analyzed .raw 子字段创建。

但是，最新的Logstash版本中的模板没有更改，可以在 template.json 更改历史记录，因此您的安装必须要有其他错误，或者您已将Logstash配置更改为使用自己的索引模板（不含$ $ c $如果你运行 curl -XGET localhost：9200 / _template / logstash * ，您应该会看到Logstash创建的模板。

When using Logstash and Elasticsearch together, fields with .raw are appended for analyzed fields, so that when querying Elasticsearch with tools like Kibana, it's possible to use the field's value as-is without per-word splitting and what not.

I built a new installation of the ELK stack with the latest greatest versions of everything, and noticed my .raw fields are no longer being created as they were on older versions of the stack. There are a lot of folks posting solutions of creating templates on Elasticsearch, but I haven't been able to find much information as to why this fixes things. In an effort to better understand the broader problem, I ask this specific question:

Where do the .raw fields come from?

I had assumed that Logstash was populating Elasticsearch with strings as-analyzed and strings as-raw when it inserted documents, but considering the fact that the fix lies in Elasticsearch templates, I question whether or not my assumption is correct.

解决方案

You're correct in your assumption that the .raw fields are the result of a dynamic template for string fields contained in the default index template that Logstash creates IF manage_template: true (which it is by default).

The default template that Logstash creates (as of 2.1) can be seen here. As you can see on line 26, all string fields (except the message one) have a not_analyzed .raw sub-field created.

However, the template hasn't changed in the latest Logstash versions as can be seen in the template.json change history, so either something else must be wrong with your install or you've changed your Logstash config to use your own index template (without .raw fields) instead.

If you run curl -XGET localhost:9200/_template/logstash* you should see the template that Logstash has created.

这篇关于当使用Logstash和Elasticsearch输出时，.raw字段来自哪里？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！