执行logstash同步脚本时出现如下报错:
Logstash could not be started because there is already another instance using the configured data directory. If you wish to run multiple instances, you must change the "path.data" setting
将原先的命令:
bin/logstash -f config/mailflow.conf
改为:
bin/logstash -f config/mailflow.conf --path.data=/logstash/mailflow
其中,--path.data是指存放数据的路径
同步最近1小时数据脚本:
input {
elasticsearch {
hosts => "ESIP:9200" #配置 elasticsearch的地址及index
index => "mailflow*"
query => '{ "query": {"range":{"@timestamp": {"gte": "now-1h"}}}}'
size => 10000 #配置遍历数据
scroll => "5m" # 配置遍历时间间隔
docinfo => true
}
}
filter {
mutate{
convert => { "time-taken" => "integer" }
}
}
output {
elasticsearch {
hosts => "esip:9200"
index => "%{[@metadata][_index]}"
document_type => "%{[@metadata][_type]}"
document_id => "%{[@metadata][_id]}"
}}
