Logging work

Right now Rsyslog->ES will log like:

  logstash-YYYY.MM.DD.HH

This creates a ton of indexes making search much harder. This commit
removes the .HH so we have:

  logstash-YYYY.MM.DD

This also patches the template to work with ES5

Change-Id: Iaef70f51601da504b769165e8593603adc484225
This commit is contained in:
Joe Talerico 2018-04-30 13:36:53 -04:00
parent 8846215237
commit 9ff9e35c12
2 changed files with 48 additions and 27 deletions

View File

@ -27,8 +27,6 @@ template(name="logstash-index-pattern" type="list") {
property(name="timereported" dateFormat="rfc3339" position.from="6" position.to="7")
constant(value=".")
property(name="timereported" dateFormat="rfc3339" position.from="9" position.to="10")
constant(value=".")
property(name="timereported" dateFormat="rfc3339" position.from="12" position.to="13")
}
# this is for formatting our syslog data in JSON with @timestamp using a "hierarchical" metdata namespace
template(name="com-redhat-rsyslog-hier"

View File

@ -1,34 +1,57 @@
{
template: "browbeat-logstash-*",
mappings: {
result: {
properties: {
action: {
index: "not_analyzed",
type: "string"
},
browbeat_cloud_name: {
index: "not_analyzed",
type: "string"
},
message: {
properties: {
openstack-general-system-performance: {
index: "not_analyzed",
type: "string"
"template": "logstash-*",
"settings": {
"index": {
"number_of_shards": "5",
"number_of_replicas": "0",
"mapping": {
"total_fields": {
"limit": "5000"
}
}
}
},
"mappings": {
"result": {
"properties": {
"CEE": {
"properties": {
"failed": {
"index": "not_analyzed",
"type": "string"
},
"suspended": {
"index": "not_analyzed",
"type": "string"
}
}
},
level: {
type: "string"
"action": {
"index": "not_analyzed",
"type": "string"
},
hostname: {
index: "not_analyzed",
type: "string"
"browbeat_cloud_name": {
"index": "not_analyzed",
"type": "string"
},
timestamp: {
type: "date",
format: "strict_date_optional_time||epoch_millis"
"message": {
"properties": {
"openstack-general-system-performance": {
"index": "not_analyzed",
"type": "string"
}
}
},
"level": {
"type": "string"
},
"hostname": {
"index": "not_analyzed",
"type": "string"
},
"timestamp": {
"type": "date",
"format": "strict_date_optional_time||epoch_millis"
}
}
}