我有一个嵌套字段,其中包含JSON数组中的数组,如下所示:
{
"foo": {
"bar": [
[
"a",
"b"
],
[
"c",
"d"
]
]
}
}
以下是我的配置文件:
input {
file {
codec => "json"
path => "pathtofile"
type => "footype"
start_position => "beginning"
}
}
filter {
json {
source => "message"
remove_field => [ "host", "message", "path" ]
}
}
output {
elasticsearch {
action => "index"
index => "bar"
hosts => [ "http://localhost:9200" ]
}
}
我收到以下错误:
09:40:47.725 [[main]> worker0] WARN logstash.outputs.elasticsearch - 行动失败。 {:status => 400,:action => [“index”,{:_ id => nil, :_index =>“bar”,:_ type =>“footype”,:_routing => nil}, 2017-02-13T01:40:30.387Z myconnection%{message}], :response => {“index”=> {“_ index”=>“bar”,“_ type”=>“footype”, “_id”=>“AVo1IN0vK2jgwdCXqZ-q”,“status”=> 400, “error”=> {“type”=>“illegal_argument_exception”,“reason”=>“mapper 不同类型的[foo.bar],current_type [long],merged_type [文本]“}}}}
我觉得这是阵列问题。我做了一些研究,并知道阵列没有得到很好的支持。但是我需要在elasticsearch中摄取数组。有没有办法真正做到这一点?
任何帮助将不胜感激。
答案 0 :(得分:1)
我通过使用红宝石滤镜解决了这个问题:
ruby {
code => '
j = 0
for i in event.get("[foo][bar]") do
#i is an array element in the big array
l = 0
for k in i do
event.set("item#" + j.to_s + "#" + l.to_s, k)
l = l + 1
end
j = j + 1
end
'
}
这最终会产生字段
item#0#0 = "a"
item#0#1 = "b"
item#1#0 = "c"
item#1#1 = "d"