elasticsearch - Logstash 7.2 更新 ES 7.2 至少需要 5 分钟

问题描述

我已经实现了 7.2 版本的 ELK 设置。下面是我的logstash conf

input {
        file {
        path => "/etc/logstash/conf.d/mytest.txt"
        start_position => "beginning"
        sincedb_path => "/dev/null"
        }
        }
        output {
           elasticsearch {
               hosts => ["<esIP>:9200"]
               index => "text"
               doc_as_upsert =>true}
               stdout { codec => rubydebug }
        }

文本文件的内容只有 4 行用于测试：

this is a test text
for logstash updation
adding another line
this is to check updates

我的 logstash 作为服务运行，需要5 mins将这些数据更新/推送到 ES 服务器（不同的服务器）。

我所做的是在源文件中进行更改以更新，然后该更改将在我在 ES 中执行后的 5 分钟内出现。这不是立即的。

Logstash 日志（当我重新启动服务时）在 ES 或 Logstash 中更新数据时没有创建日志：

[2019-11-21T02:08:21,855][WARN ][logstash.runner          ] SIGTERM received. Shutting down.
[2019-11-21T02:08:21,990][INFO ][filewatch.observingtail  ] QUIT - closing all files and shutting down.
[2019-11-21T02:08:22,912][INFO ][logstash.javapipeline    ] Pipeline terminated {"pipeline.id"=>"main"}
[2019-11-21T02:08:23,292][INFO ][logstash.runner          ] Logstash shut down.
[2019-11-21T02:08:32,854][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"7.2.0"}
[2019-11-21T02:08:36,862][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://10.16.5.24:9200/]}}
[2019-11-21T02:08:37,002][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://10.16.5.24:9200/"}
[2019-11-21T02:08:37,064][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>7}
[2019-11-21T02:08:37,066][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>7}
[2019-11-21T02:08:37,085][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//10.16.5.24:9200"]}
[2019-11-21T02:08:37,128][INFO ][logstash.outputs.elasticsearch] Using default mapping template
[2019-11-21T02:08:37,146][WARN ][org.logstash.instrument.metrics.gauge.LazyDelegatingGauge] A gauge metric of an unknown type (org.jruby.specialized.RubyArrayOneObject) has been create for key: cluster_uuids. This may result in invalid serialization.  It is recommended to log an issue to the responsible developer/development team.
[2019-11-21T02:08:37,149][INFO ][logstash.javapipeline    ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1000, :thread=>"#<Thread:0x72266cf8 run>"}
[2019-11-21T02:08:37,201][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"index_patterns"=>"logstash-*", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s", "number_of_shards"=>1}, "mappings"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}
[2019-11-21T02:08:37,339][INFO ][logstash.javapipeline    ] Pipeline started {"pipeline.id"=>"main"}
[2019-11-21T02:08:37,394][INFO ][filewatch.observingtail  ] START, creating Discoverer, Watch with file and sincedb collections
[2019-11-21T02:08:37,396][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2019-11-21T02:08:37,635][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

为什么这么少的数据没有立即反映？我该如何改进？

标签： elasticsearchlogstashelastic-stacklogstash-configuration