18.1 Simulate多组件模板
- 由于模板不仅可以由多个组件模板组成,还可以由索引模板本身组成,因此有两个模拟API来确定生成的索引设置
- 模拟te-000001 :
POST /_index_template/_simulate_index/te-000001
- 获取特定模板的设置:
POST /_index_template/_simulate/template_1
- 从现有模板应用Simulate的设置:
PUT /_component_template/ct1
{
"template": {
"settings": {
"index.number_of_shards": 2
}
}
}
PUT /_component_template/ct2
{
"template": {
"settings": {
"index.number_of_replicas": 0
},
"mappings": {
"properties": {
"@timestamp": {
"type": "date"
}
}
}
}
}
POST /_index_template/_simulate
{
"index_patterns": ["my*"],
"template": {
"settings" : {
"index.number_of_shards" : 3
}
},
"composed_of": ["ct1", "ct2"]
}
- 响应结果
{
"template" : {
"settings" : {
"index" : {
"number_of_shards" : "3",
"number_of_replicas" : "0"
}
},
"mappings" : {
"properties" : {
"@timestamp" : {
"type" : "date"
}
}
},
"aliases" : { }
},
"overlapping" : [
{
"name" : "template_1",
"index_patterns" : [
"my*"
]
}
]
}
18.2 模板示例:保存到 Elasticsearch
- 模板
{
"template" : "logstash-*",
"settings" : {
"index.refresh_interval" : "5s"
},
"mappings" : {
"_default_" : {
"_all" : {"enabled" : true},
"dynamic_templates" : [ {
"string_fields" : {
"match" : "*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "string", "index" : "analyzed", "omit_norms" : true,
"fields" : {
"raw" : {"type": "string", "index" : "not_analyzed", "ignore_above" : 256}
}
}
}
} ],
"properties" : {
"@version": { "type": "string", "index": "not_analyzed" },
"geoip" : {
"type" : "object",
"dynamic": true,
"path": "full",
"properties" : {
"location" : { "type" : "geo_point" }
}
}
}
}
}
}
- 关键设置包括:
- template for index-pattern
- 只有匹配 logstash-* 的索引才会应用这个模板
- refresh_interval for indexing
- Elasticsearch 是一个近实时搜索引擎
- multi-field with not_analyzed
- Elasticsearch 会自动使用自己的默认分词器(空格,点,斜线等分割)来分析字段
- geo_point
- Elasticsearch 支持 geo_point 类型, geo distance 聚合等等
- template for index-pattern
- 其他模板配置建议
- doc_values
- 在请求范围加大的时候,很容易触发 OOM 报错:
- doc_values 只能给不分词(对于字符串字段就是设置了"index":"not_analyzed",数值和时间字段默认就没有分词) 的字段配置生效
- 在请求范围加大的时候,很容易触发 OOM 报错:
- doc_values
ElasticsearchException[org.elasticsearch.common.breaker.CircuitBreakingException: Data too large,
data for field [@timestamp] would be larger than limit of [639015321/609.4mb]]
- 在数据量较大的情况下,建议开启该配置:
{
"template" : "logstash-*",
"settings" : {
"index.refresh_interval" : "5s"
},
"mappings" : {
"_default_" : {
"_all" : {"enabled" : true},
"dynamic_templates" : [ {
"string_fields" : {
"match" : "*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "string", "index" : "analyzed", "omit_norms" : true,
"fields" : {
"raw" : { "type": "string", "index" : "not_analyzed", "ignore_above" : 256, "doc_values": true }
}
}
}
} ],
"properties" : {
"@version": { "type": "string", "index": "not_analyzed" },
"@timestamp": { "type": "date", "index": "not_analyzed", "doc_values": true, "format": "dateOptionalTime" },
"geoip" : {
"type" : "object",
"dynamic": true,
"path": "full",
"properties" : {
"location" : { "type" : "geo_point" }
}
}
}
}
}
}
- 其他模板配置建议
- order
- order 就是 elasticsearch 在创建一个索引的时候,发现这个索引同时匹配上了多个 template ,那么就会先应用 order 数值小的 template 设置,然后再应用一遍 order 数值高的作为覆盖,最终达到一个 merge 的效果
- 比如,上面这个模板只想修改一下 refresh_interval ,那么只需要新写一个:
- order
{
"order" : 1,
"template" : "logstash-*",
"settings" : {
"index.refresh_interval" :
"20s"
}
}
大数据视频推荐:
腾讯课堂
CSDN
ELK入门精讲
AIOps智能运维实战
ELK7 stack开发运维
大数据语音推荐:
ELK7 stack开发运维
企业级大数据技术应用
大数据机器学习案例之推荐系统
自然语言处理
大数据基础
人工智能:深度学习入门到精通
网友评论