我正在尝试将日志从logstash流式传输到elasticsearch(5.5.0)。我正在使用filebeat将日志发送到logstash。
我没有定义任何索引;当第一次按下数据时,它会自动定义(比如“test1”)。
现在,我想创建另一个索引(“test2”),以便我可以管理字段数据类型。为此,我获得了test1的映射。更新了索引名称。并且PUT使用这些数据调用了test2。但是,它失败了以下结果:
`ubuntu @ elasticsearch:〜$ curl -XPUT'localhost:9200 / test2?pretty'-H'Content-Type:application / json'-d'@ / tmp / mappings_test.json'{
"error" : {
"root_cause" : [
{
"type" : "illegal_argument_exception",
"reason" : "unknown setting [index.test2.mappings.log.properties.@timestamp.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"
}
],
"type" : "illegal_argument_exception",
"reason" : "unknown setting [index.test2.mappings.log.properties.@timestamp.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"
},
"status" : 400
}
`
以下是我正在使用的json的摘录。 `
{
"test2" : {
"mappings" : {
"log" : {
"properties" : {
"@timestamp" : {
"type" : "date"
},
"@version" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"accept_date" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
....
`
我只修改了索引名称。其余内容与test1索引的映射相同。
如何通过更新类型来创建这个新索引,我们对此有何帮助?
答案 0 :(得分:3)
您需要在第二行删除test2,并且只有mappings:
PUT test2
{
"mappings" : { <---- this needs to be at the top level
"log" : {
"properties" : {
"@timestamp" : {
"type" : "date"
},
"@version" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"accept_date" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
....