绊脚石乃是进身之阶。

Logstash指定ES Mapping问题

匿名 | 发布于2018年05月06日 | 阅读数:4190

1、Logstash配置如下:
 33 output {
34 elasticsearch{
35 hosts => ["******:9200"]
36 index => "admin-tmp-%{[index_name]}-%{+YYYY.MM.dd}"
37 timeout => 300
39 template => "/usr/local/logstash-6.2.4/admin-template.json"
40 template_name => "mytest"
41 manage_template => false
42 template_overwrite => true
43 }
44 stdout {
45 codec=>rubydebug
46 }
47 }

2、Template配置如下:
 
      1 {
2 "template": "logstash-*",
3 "version": 60001,
4 "settings": {
5 "index.refresh_interval": "5s",
6 "number_of_shards": "2",
7 "number_of_replicas": "1"
8 },
9 "mappings": {
10 "_doc": {
11 "dynamic_templates": [{
12 "message_field": {
13 "path_match": "message",
14 "match_mapping_type": "string",
15 "mapping": {
16 "type": "text",
17 "norms": false
18 }
19 }
20 }, {
21 "string_fields": {
22 "match": "*",
23 "match_mapping_type": "string",
24 "mapping": {
25 "type": "text",
26 "norms": false,
27 "fields": {
28 "keyword": {
29 "type": "keyword",
30 "ignore_above": 256
31 }
32 }
33 }
34 }
35 }],
36 "properties": {
37 "myport": {
38 "type": "long"
39 },
40
41 "mid": {
42 "type": "long"
43 }
44 }
45 }
46 }
47 }

 
3、写入日志为:
{"mid":"1234567890","myport":12345}
 
4、最后MID和src_port都没有改变:

"mid": { "type": "text", "fields": { "keyword": { "ignore_above": 256, "type": "keyword" } } },
"myport": { "type": "long" },
 
麻烦问一下,我哪里配错了啊?
 
已邀请:

kennywu76 - Wood

赞同来自:

manage_template => false
这个参数要设置成true,template才会起效果。

mikeylj

赞同来自:

但是我设置了true,ES中的MID fields还是text的,不是我想要的long,不知道为什么?

zqc0512 - andy zhou

赞同来自:

"template": "logstash-*", 这个是匹配 logstash*开始的,你写入的索引是admin-tmp开始的,肯定不匹配啊。

要回复问题请先登录注册