问题描述
我需要在ELK中启用date_nanos支持,但是失败。
我使用docker调出Elastic + Kibana + Filebeat。 而Elastic的版本是7.9.0。
我设置了filebeat模板,该模板只是从原始fields.yml复制而来,我仅将日期类型更改为“ date_nanos”,如下所示。
- key: ecs
title: ECS
description: ECS Fields.
fields:
- name: '@timestamp'
level: core
required: true
type: date_nanos
...
然后我启用了filebeat的调试日志,并且该日志显示映射已加载到Elastic:
{"level":"info","timestamp":"2020-09-03T09:25:02.360Z","caller":"template/load.go:109","message":"Try loading template filebeat-7.9.0 to Elasticsearch"},{"level":"debug","timestamp":"2020-09-03T09:25:02.364Z","logger":"esclientleg","caller":"eslegclient/connection.go:364","message":"PUT http://elasticsearch:9200/_template/filebeat-7.9.0 map[index_patterns:[filebeat-7.9.0-*] mappings:{\"_Meta\":{\"beat\":\"filebeat\",\"version\":\"7.9.0\"},\"date_detection\":false,\"dynamic_templates\":[{\"labels\":{\"mapping\":{\"type\":\"keyword\"},\"match_mapping_type\":\"string\",\"path_match\":\"labels.*\"}},{\"container.labels\":{\"mapping\":{\"type\":\"keyword\"},\"path_match\":\"container.labels.*\"}},{\"dns.answers\":{\"mapping\":{\"type\":\"keyword\"},\"path_match\":\"dns.answers.*\"}},{\"log.syslog\":{\"mapping\":{\"type\":\"keyword\"},\"path_match\":\"log.syslog.*\"}},{\"network.inner\":{\"mapping\":{\"type\":\"keyword\"},\"path_match\":\"network.inner.*\"}},{\"observer.egress\":{\"mapping\":{\"type\":\"keyword\"},\"path_match\":\"observer.egress.*\"}},{\"observer.ingress\":{\"mapping\":{\"type\":\"keyword\"},\"path_match\":\"observer.ingress.*\"}},{\"fields\":{\"mapping\":{\"type\":\"keyword\"},\"path_match\":\"fields.*\"}},{\"docker.container.labels\":{\"mapping\":{\"type\":\"keyword\"},\"path_match\":\"docker.container.labels.*\"}},{\"kubernetes.labels.*\":{\"mapping\":{\"type\":\"keyword\"},\"match_mapping_type\":\"*\",\"path_match\":\"kubernetes.labels.*\"}},{\"kubernetes.annotations.*\":{\"mapping\":{\"type\":\"keyword\"},\"path_match\":\"kubernetes.annotations.*\"}},{\"docker.attrs\":{\"mapping\":{\"type\":\"keyword\"},\"path_match\":\"docker.attrs.*\"}},{\"kibana.log.Meta\":{\"mapping\":{\"type\":\"keyword\"},\"path_match\":\"kibana.log.Meta.*\"}},{\"strings_as_keyword\":{\"mapping\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"match_mapping_type\":\"string\"}}],\"properties\":{\"@timestamp\":{\"type\":\"date_nanos\"},\"agent\":{\"properties\":{\"ephemeral_id\":{\"ignore_above\":1024,{"level":"info","timestamp":"2020-09-03T09:25:02.846Z","caller":"template/load.go:101","message":"template with name 'filebeat-7.9.0' loaded."},我可以在日志字符串中看到date_nanos设置:
"properties\":{\"@timestamp\":{\"type\":\"date_nanos\"},但是最后,在Kibana中日期的“类型”仍然显示“日期”,而不是“ date_nanos”
要启用date_nanos支持还可以做些其他事情吗?
解决方法
索引模式中显示的Date类型与索引映射中的date_nanos类型不同。索引模式中的Date类型更适用于格式化。
Kibana支持date_nanos since version 7.3。
所以您已经准备好了,什么都没改变。