準備工作
配置虛擬機爲靜態IP,把rpm包都下載下來。你看我的目錄:
[root@localhost elasticstack-rpm]# tree
.
├── beat
│ └── filebeat-7.8.0-x86_64.rpm
├── elasticsearch-7.8.0-x86_64.rpm
├── kibana-7.8.0-x86_64.rpm
├── logstash-7.8.0.rpm
項目包間無依賴關係,直接rpm -ivh xxx.rpm都裝上。
禁掉防火牆:systemctl stop firewalld && systemctl disable firewalld
配置ElasticSearch
編輯elasticsearch配置文件,/etc/elasticsearch/elasticsearch.yml
network.host: 192.168.124.10
discovery.seed_hosts: [ "192.168.124.10"]
cluster.initial_master_nodes: ["localhost.localdomain"]
然後啓動服務:
systemctl enable elasticsearch && systemctl start elasticsearch
啓動elasticsearch後,測試是否啓動成功:
[root@localhost elasticstack-rpm]# curl 192.168.124.10:9200
{
"name" : "localhost.localdomain",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "_na_",
"version" : {
"number" : "7.8.0",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "757314695644ea9a1dc2fecd26d1a43856725e65",
"build_date" : "2020-06-14T19:35:50.234439Z",
"build_snapshot" : false,
"lucene_version" : "8.5.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
Kibana
## /etc/kibana/kibana.yml
server.host: "192.168.124.10"
elasticsearch.hosts: ["http://192.168.124.10:9200"]
啓動kibana:
systemctl enable kibana && systemctl start kibana
瀏覽器訪問:http://192.168.124.10:5601/
配置Pattern
輸入時間字段:
filebeat
setup.kibana:
host: "192.168.124.10:5601"
output.elasticsearch:
hosts: ["192.168.124.10:9200"]
processors: // 過濾掉不需要的字段
- drop_fields:
fields: ["agent.type"] # 不支持正則表達式
ignore_missing: false
然後重啓服務
systemctl stop filebeat
查看界面
Exception
max_docvalue_fields_search數量超標。
Trying to retrieve too many docvalue_fields. Must be less than or equal to: [100] but was [137]. This limit can be set by changing the [index.max_docvalue_fields_search] index level setting
PUT filebeat-7.8.0-2020.07.01-000001/_settings
{
"index" : {
"max_docvalue_fields_search" : 200
}
}
參考: