我已经安装了ES集群和Logstash。 我有很多输入类型的消息。现在我有Gelf输入类型的问题。我需要将ES中的所有字段存储为字符串,但如果我在gelf中有json" message" field - ES从这个json创建新的映射。我不想要它,我尝试了很多变种来禁用动态映射" message"领域。 Logstash模板配置:
{
"mappings":{
"_default_":{
"_all":{
"enabled":false
},
"_source":{
"enabled":true,
"compress":true
},
"dynamic_templates":[
{
"message_template":{
"mapping":{
"index":"not_analyzed",
"type":"string"
},
"match":"message",
"match_mapping_type":"string"
},
"string_template":{
"mapping":{
"index":"not_analyzed",
"type":"string"
},
"match":"*",
"match_mapping_type":"string"
}
}
],
"properties":{
"@version":{
"index":"not_analyzed",
"type":"long"
},
"@timestamp":{
"type":"date",
"format":"dateOptionalTime"
},
"message":{
"type":"string",
"index":"not_analyzed",
"dynamic":false
}
}
}
},
"settings":{
"index.translog.flush_threshold_ops":50000,
"index.translog.flush_threshold_size":1073741824,
"refresh_interval":30,
"number_of_replicas":0,
"number_of_shards":1
},
"template":"gelf-*"
}
和logstash输出:
output {
if [type] == "gelf" {
elasticsearch {
index => 'logstash-%{+YYYY.MM.dd}'
protocol => http
template_name => 'logstash-*'
workers => 4
template_overwrite => true
template => '/etc/logstash/index-template.json'
}
} else {
elasticsearch {
index => 'logstash-%{+YYYY.MM.dd}'
protocol => http
template_name => 'gelf-*'
workers => 4
template_overwrite => true
template => '/etc/logstash/gelf-template.json'
}
}
}
当json里面的新消息" message"收到字段我在ES上有映射: http://pastebin.com/R9Ei3zEK