即使是不成熟的尝试,也胜于胎死腹中的策略。

logstash 切割问题

Logstash | 作者 jackchu | 发布于2020年04月07日 | 阅读数:2803

logstash 解析filebeat传输过来的日志,使用 grok json 解析,但logstash直接报failed to parse field [xxx] of type [long] in document with id xxx的错。
1. 日志原文如下:
```
168-{"content":[{"address":"","batchNo":"003","imei":"869881012802263","lat":"4.9E-324","lon":"4.9E-324","packRuleId":6674491380961656832,"packType":1,"productLineId":6675337592604475392,"skuId":6674490324399702017,"subCodes":[{"cid":"61","code":"0010000000000431","codeType":1,"vid":"1"},{"cid":"61","code":"0010000000000432","codeType":1,"vid":"1"}],"superCode":{"cid":"61","code":"0010000000000516","codeType":1,"vid":"1"},"warehouseId":6674863754632511488}],"entityId":"","entityObject":"xxxxx","logTitle":"xxx","moduleType":"TENANT_CODE","moduleTypeName":"xxxx","operateTime":1585880507861,"operateType":"UPDATE","operateTypeName":"xx","orgId":6674147603194576896,"orgName":"xxxx","tenantId":"xx","terminalType":"UNKOW","terminalTypeName":"xxxx","userIp":"xxx","userName":"test001"}
```
2. logstash 配置如下:
```
grok {
#match => { "message" => "(?<endMsg>(entityId).*?(?=}))" }
match => { "message" => "(?<endMsg>({).*?(.*))" }
}
json {
source => "endMsg"
}
mutate {
remove_field =>["message"]
remove_field =>["tags"]
remove_field =>["agent"]
remove_field =>["host"]
remove_field =>["cloud"]
#remove_field =>["endMsg"]
}
}
```

3. logstash 报错如下
```
"error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [content.superCode] of type [long] in document with id 'lumZP3EBROFVySvuyblS'"
```

按道理可以直接json解析的,麻烦问下这是什么问题
已邀请:

luohuanfeng

赞同来自:

看一下index的mapping,应该是映射类型问题. 
如果不能确定superCode的类型就 都指定成keyword或者text.
 
 
 
 

要回复问题请先登录注册