External Indices¶
Bind external indices on the TrueWatch side to query and analyze external index data.
Currently supported external indices include:
Note
- Bound indices can only be deleted. After unbinding, logs under this index cannot be queried.
- Other indices cannot have the same name as a log index, nor can they have the same name as any historical log index.
Field Mapping¶
Because standard fields in the platform and external indices may not be consistent, a field mapping feature is provided to ensure proper functionality. When binding an external index, you can directly map the log fields:
| Field | Description |
|---|---|
time |
The reporting time of the log. SLS Logstore defaults to mapping the date field to time. For Elasticsearch and OpenSearch, it can be filled according to the actual data. If this field is absent, data in the Explorer will be displayed out of order. |
_docid |
The unique ID of the log. After mapping, details of the bound log can be viewed. If the original field is not unique, the log with the earliest timestamp will be displayed upon refreshing the details page. If this field is absent, part of the content on the log details page will be missing. |
message |
The content of the log. After mapping, the content of the bound log can be viewed, and log data can be clustered for analysis via the message field. |
You can also click Modify in the external index list to enter the index that requires field mapping modifications and make changes.
Note
- The mapping rules for each index are saved independently and are not shared.
- If a log has a
_docidfield and the same field is mapped, the original_docidin the log will not take effect.