我正在使用攝取管道腳本處理器從每個檔案的本地時間中提取星期幾。
我使用 client_ip 來提取時區,將它與時間戳一起使用來提取本地時間,然后從本地時間提取星期幾(和其他特征)。
這是我的攝取管道:
{
"processors" : [
{
"set" : {
"field" : "@timestamp",
"override" : false,
"value" : "{{_ingest.timestamp}}"
}
},
{
"date" : {
"field" : "@timestamp",
"formats" : [
"EEE MMM dd HH:mm:ss 'UTC' yyyy"
],
"ignore_failure" : true,
"target_field" : "@timestamp"
}
},
{
"convert" : {
"field" : "client_ip",
"type" : "ip",
"ignore_failure" : true,
"ignore_missing" : true
}
},
{
"geoip" : {
"field" : "client_ip",
"target_field" : "client_geo",
"properties" : [
"continent_name",
"country_name",
"country_iso_code",
"region_iso_code",
"region_name",
"city_name",
"location",
"timezone"
],
"ignore_failure" : true,
"ignore_missing" : true
}
},
{
"script" : {
"description" : "Extract details of Dates",
"lang" : "painless",
"ignore_failure" : true,
"source" : """
LocalDateTime local_time LocalDateTime.ofInstant( Instant.ofEpochMilli(ctx['@timestamp']), ZoneId.of(ctx['client_geo.timezone']));
int day_of_week = local_time.getDayOfWeek().getValue();
int hour_of_day = local_time.getHour();
int office_hours = 0;
if (day_of_week<6 && day_of_week>0) { if (hour_of_day >= 7 && hour_of_day <= 19 ) {office_hours =1;} else {office_hours = -1;}} else {office_hours = -1;}
ctx['day_of_week'] = day_of_week;
ctx['hour_of_day'] = hour_of_day;
ctx['office_hours'] = office_hours;
"""
}
}
]
}
前兩個處理器是之前出于其他目的添加的。我已經添加了最后 3 個。
示例檔案可能如下所示:
"docs": [
{
"_source": {
"@timestamp": 43109942361111,
"client_ip": "89.160.20.128"
}
}
]
我現在在資料中獲取 GeoIP 欄位,但沒有腳本處理器創建的欄位。我究竟做錯了什么?
編輯 有關受這些更改影響的索引的一些說明: 動態映射已關閉。我已經手動將 client_geo.timezone 欄位添加到索引的映射中作為關鍵字。當我對索引運行以下腳本搜索時
GET index_name/_search
{
"script_fields": {
"day_of_week": {
"script": "doc['@timestamp'].value.withZoneSameInstant(ZoneId.of(doc['client_geo']['timezone'])).getDayOfWeek().getValue()"
}
}
}
我在腳本執行中收到以下運行時錯誤:
"caused_by" : {
"type" : "illegal_argument_exception",
"reason" : "No field found for [client_geo] in mapping"
}
uj5u.com熱心網友回復:
感謝您提供格式良好的問題 示例。
我能夠復制您的問題并弄清楚了。
ctx是“原樣的檔案來源”。因此,攝取不會自動挖掘以點分隔的欄位。
您的客戶資料添加如下:
"client_geo" : {
"continent_name" : "Europe"
//<snip>..</snip>
}
因此,您必須直接作為嵌套哈希映射訪問它。
意思ctx['client_geo.timezone']應該是ctx['client_geo']['timezone']
這是對我有用的完整管道:
"processors": [
{
"set": {
"field": "@timestamp",
"override": false,
"value": "{{_ingest.timestamp}}"
}
},
{
"date": {
"field": "@timestamp",
"formats": [
"EEE MMM dd HH:mm:ss 'UTC' yyyy"
],
"ignore_failure": true,
"target_field": "@timestamp"
}
},
{
"convert": {
"field": "client_ip",
"type": "ip",
"ignore_failure": true,
"ignore_missing": true
}
},
{
"geoip": {
"field": "client_ip",
"target_field": "client_geo",
"properties": [
"continent_name",
"country_name",
"country_iso_code",
"region_iso_code",
"region_name",
"city_name",
"location",
"timezone"
],
"ignore_failure": true,
"ignore_missing": true
}
},
{
"script": {
"description": "Extract details of Dates",
"lang": "painless",
"ignore_failure": true,
"source": """
LocalDateTime local_time = LocalDateTime.ofInstant(Instant.ofEpochMilli(ctx['@timestamp']), ZoneId.of(ctx['client_geo']['timezone']));
int day_of_week = local_time.getDayOfWeek().getValue();
int hour_of_day = local_time.getHour();
int office_hours = 0;
if (day_of_week<6 && day_of_week>0) { if (hour_of_day >= 7 && hour_of_day <= 19 ) {office_hours =1;} else {office_hours = -1;}} else {office_hours = -1;}
ctx['day_of_week'] = day_of_week;
ctx['hour_of_day'] = hour_of_day;
ctx['office_hours'] = office_hours;
"""
}
}
]
轉載請註明出處,本文鏈接:https://www.uj5u.com/yidong/354891.html
下一篇:彈性搜索中索引的自動翻轉