External Indexes¶
Bind external indexes on the TrueWatch side to query and analyze external index data.
Currently supported external indexes include:
SLS Logstore
Elasticsearch
OpenSearch
LogEase
Volcengine TLS
Note
- Bound indexes only support deletion. After unbinding, you will not be able to query logs under this index;
- Other indexes cannot have the same name as a log index or any historical log index.
Field Mapping¶
Since platform fields and external index fields may differ, field mapping is provided to ensure functionality works properly. When binding an external index, you can directly map log fields:
| Field | Description |
|---|---|
time |
The time when the log was reported. SLS Logstore maps the date field to time by default. For Elasticsearch and OpenSearch, fill in according to actual data; if this field is missing, log data in the log viewer will be displayed out of order. |
_docid |
The unique ID of the log. After mapping, you can view detailed information of the bound log. If the original field is not unique, the earliest log (by time) will be displayed after refreshing the details page. If this field is missing, some content will be absent from the log details page. |
message |
The content of the log. After mapping, you can view the log content and perform cluster analysis on log data using the message field. |
You can also click Edit in the external index list to modify the required field mappings for an index.
Note
- Mapping rules for each index are saved independently and do not share with each other;
- If a log contains the
_docidfield and also maps the same field, the_docidfield in the original log will not take effect.