ElasticSearch:运维相关

来自Wikioe
跳到导航 跳到搜索


关于

【转自:https://www.orchome.com/Elasticsearch/index

设置elasticsearch的默认分区数和副本数

elasticsearch 5.1版本,默认在配置中可设置分区和副本的数量现在不能使用了。


修改现有elasticsearch的默认副本数:(如下,修改:副本数为0) 

curl -XPUT https://192.168.x.x:9200/_settings -d '
 {
"index":{
"number_of_replicas":0
}
}


设置elasticsearch默认模板:(如下,修改:分区数为10,副本数为0) 

curl -XPUT https://192.168.x.x:9200/_template/log -d '{
  "template": "log-*",
  "settings": {
    "number_of_shards": 10,
    "number_of_replicas": "0"
  }
}
  • 这样后面生成 log-* 的索引都会按照这个模板来了。
  • 参见:【模板官网页面

Elasticsearch删除历史日志

示例,从 kafka 采集日志到 es 的相关 logstash 的配置: 

input{
  kafka{
  topics => ["logs-normal","logs-error","logs-point"]
     bootstrap_servers => "192.168.x.x:9092,192.168.x.x:9092,192.168.x.x:9092"
     codec => json
     group_id=> "logstash"
     codec => multiline {
        pattern => "\s"
        negate=>true
        what => "previous"
    }
  }
}
filter{
   grok{
        match => {"message" => "\[(?<datetime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3})"}
   }
   date{
        match => ["datetime", "yyyy-MM-dd HH:mm:ss,SSS"]
        target => "@timestamp"
   }
   mutate {
    remove_field => ["datetime"]
  }
}
output{
    elasticsearch {
            action => "index"
            hosts  => ["192.168.x.x:9200","192.168.x.x:9200","192.168.x.x:9200"]
            index  => "applog-%{+YYYY.MM.dd}"
    }
}

如上,“index => "applog-%{+YYYY.MM.dd}"”会根据 timestamp 的时间来生成每天的日志块,那么删除日志也根据“索引+日期”来删除。

如: 

curl -XDELETE  "192.168.101.123:9200/applog-2016.12.26"

查看日志存储的位置,磁盘已经释放了。

ElasticSearch定时删除数据

如下脚本可以定时删除数据:

(新建 delete_es_by_day.sh 脚本)
#!/bin/sh  
# example: sh  delete_es_by_day.sh logstash-kettle-log logsdate 30  

index_name=$1  
daycolumn=$2  
savedays=$3  
format_day=$4  

if [ ! -n "$savedays" ]; then  
  echo "the args is not right,please input again...."  
  exit 1  
fi  

if [ ! -n "$format_day" ]; then  
   format_day='%Y%m%d'  
fi  

sevendayago=`date -d "-${savedays} day " +${format_day}`  

curl -XDELETE "10.130.3.102:9200/${index_name}/_query?pretty" -d "  
{  
        "query": {  
                "filtered": {  
                        "filter": {  
                                "bool": {  
                                        "must": {  
                                                "range": {  
                                                        "${daycolumn}": {  
                                                                "from": null,  
                                                                "to": ${sevendayago},  
                                                                "include_lower": true,  
                                                                "include_upper": true  
                                                        }  
                                                }  
                                        }  
                                }  
                        }  
                }  
        }  
}"  

echo "ok"

参数说明:

  1. 索引名;
  2. 日期字段名;
  3. 保留最近几天数据,单位天;
  4. 日期格式,可不输(默认形式20160101)

ElasticSearch中根据查询结果删除数据(delete by query)

原有的方法在2.0版本中已经删除了,提供了delete by query插件来实现这个功能。


  1. 安装插件: 
    cd /path/to/ElasticSearch
sudo bin/plugin install delete-by-query
    成功安装后:
    Elasticsearch:安装delete-by-query插件.png
    • 集群环境下必须在每个结点上安装,安装之后要重启结点才能使这个插件生效。
    • (安装和重启之后就可以像2.0以前的版本一样使用delete by query了。)
  2. 执行删除命令: 
    curl -XDELETE 'https://10.0.21.xx:9200/applog/logs/_query?pretty' -d ' 
{
  "query": {
    "filtered": {
      "filter": {
        "range": {
          "@timestamp": {
            "lte": "2016-11-21"
          }
        }
      }
    }
  }
}'
  3. 合并:????什么鬼???? 
    curl -XPOST 'https://10.0.21.xx:9200/applog/_optimize?max_num_segments=1'
取自“http://wiki.eijux.com/index.php?title=ElasticSearch:运维相关&oldid=6486