Elasticsearch模板未按预期工作
所以我有一个弹性搜索模板,我通过Filebeat传入ES。我有Filebeat发送到logstash ...这是相关的东西。
Elasticsearch模板
{
"template": "filebeat-*",
"mappings": {
"product__name": {
"properties": {
"@timestamp": {
"type": "date",
"format": "strict_date_optional_time||epoch_millis"
},
"@version": {
"type": "text"
},
"beat": {
"properties": {
"hostname": {
"type": "text"
},
"name": {
"type": "text"
}
}
},
"class_method": {
"type": "text"
},
"class_name": {
"type": "text",
"index": "true",
"fielddata": "true"
},
"clientip": {
"type": "ip"
},
"count": {
"type": "long"
},
"host": {
"type": "text"
},
"input_type": {
"type": "text"
},
"log_level": {
"type": "text",
"fielddata": "true",
"index": "true"
},
"log_message": {
"type": "text",
"index": "true"
},
"log_timestamp": {
"type": "text"
},
"log_ts": {
"type": "long"
},
"message": {
"type": "text"
},
"offset": {
"type": "long"
},
"query_params": {
"type": "text",
"fielddata": "true",
"index": "true"
},
"sessionid": {
"type": "text",
"index": "true"
},
"source": {
"type": "text"
},
"tags": {
"type": "text"
},
"thread": {
"type": "text",
"index": "true"
},
"type": {
"type": "text"
},
"user_account_combo": {
"type": "text",
"index": "true"
},
"version": {
"type": "text"
}
}
},
"access": {
"properties": {
"@timestamp": {
"type": "date",
"format": "strict_date_optional_time||epoch_millis"
},
"@version": {
"type": "text"
},
"beat": {
"properties": {
"hostname": {
"type": "text"
},
"name": {
"type": "text"
}
}
},
"clientip": {
"type": "ip"
},
"count": {
"type": "long"
},
"host": {
"type": "text",
"index": "true"
},
"input_type": {
"type": "text"
},
"log_timestamp": {
"type": "text"
},
"log_ts": {
"type": "long"
},
"message": {
"type": "text"
},
"offset": {
"type": "long"
},
"query_params": {
"type": "text",
"fielddata": "true",
"index": "true"
},
"response_time": {
"type": "long"
},
"sessionid": {
"type": "text",
"index": "true"
},
"source": {
"type": "text"
},
"statuscode": {
"type": "long"
},
"tags": {
"type": "text"
},
"thread": {
"type": "text",
"index": "true"
},
"type": {
"type": "text",
"index": "true"
},
"uripath": {
"type": "text",
"fielddata": "true",
"index": "true"
},
"user_account_combo": {
"type": "text",
"index": "true"
},
"verb": {
"type": "text",
"fielddata": "true",
"index": "true"
}
}
}
}
}
filebeat config (已修剪)
output.elasticsearch:
hosts: ["10.10.43.210:9200"]
template:
name: filebeat
path: "test-template.json"
overwrite: true
output.logstash:
hosts: ["10.10.43.210:5044"]
worker: 2
index: filebeat
Logstash配置(修剪)
output {
stdout { }
elasticsearch {
hosts => "elasticsearch:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
最后......这就是Kibana中出现的内容:
所以问题是:当我非常明确地知道我想要的所有类型并且不让logstash覆盖我的模板时,为什么我会看到.keyword字段?我错过了什么吗?
1 个答案:
答案 0 :(得分:0)
Kibana 5.x为所有.keyword个字段生成string字段。这允许您基于整个字段进行聚合。例如,如果您想对host字段的唯一值进行计数,则可以在host.keyword上执行聚合。
因此,这种行为并不意味着您的模板被覆盖,而是来自Kibana的故意行为允许您对字符串字段进行聚合。如果要检查Logstash是否以某种方式覆盖了您的模板,请在Elasticsearch中查看
curl elasticsearch:9200/{template_name}?pretty将显示您的索引映射。这可以帮助您验证索引是否正在使用您期望的映射。
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?