问题描述
我是ELK堆栈的新手,我试图从logstash output.elasticsearch安装模板,但是当我在JSON中放入“映射”键时,我会遇到以下问题:
[2020-09-12T15:19:04,321][ERROR][logstash.outputs.elasticsearch] Failed to install template. {:message=>"Got response code '400' contacting Elasticsearch at URL 'http://elasticsearch:9200/_template/maillog'",:class=>"LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError",:backtrace=>["/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client/manticore_adapter.rb:80:in `perform_request'","/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:291:in `perform_request_to_url'","/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:278:in `block in perform_request'","/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:373:in `with_connection'","/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:277:in `perform_request'","/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:285:in `block in Pool'","/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client.rb:352:in `template_put'","/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client.rb:86:in `template_install'","/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/template_manager.rb:28:in `install'","/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/template_manager.rb:16:in `install_template'","/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/common.rb:130:in `install_template'","/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/common.rb:51:in `block in setup_after_successful_connection'"]}
这是我的JSON模板:
{
"index_patterns": "*-maillog-*","settings": {
"index": {
"refresh_interval": "10s","number_of_shards": 1,"number_of_replicas": 0
}
},"mappings": {
"maillog": {
"properties": {
"ip": { "type": "ip" }
}
}
}
}
这是我的输出。elasticsearch:
output {
elasticsearch {
id => "test"
index => "%{[product]}-maillog-%{+YYYY.MM.dd}"
hosts => ["###ELASTIC_HOST###:9200"]
document_type => "maillog"
manage_template => true
template_overwrite => true
template => "${CONF_PATH}/mapping/maillog.json"
template_name => "maillog"
}
}
使用此conf弹性无法创建我的模板,但是如果我从模板中删除“映射”键,就像这样:
{
"index_patterns": "*-maillog-*","number_of_replicas": 0
}
}
}
没有问题了。
我的堆栈由3个容器组成:
elasticsearch 7.4.2
logstash 7.4.2
kibana 7.4.2
我可能会丢失一些东西,但是花了很多时间,却没有解决这个问题的线索...
感谢您的帮助
解决方法
您正在使用的Elasticsearch版本7.X不再具有types。
在mailog声明之后的mappings将是您在7.X之前的版本中使用的类型,但这在7.X版之前不再起作用,您需要更改mappings到一个波纹管。
"mappings": {
"properties": {
"ip": { "type": "ip" }
}
}
此外,您可以在Logstash的document_type输出中删除elasticsearch,此操作不再起作用。