Question

我让kibana索引我的geoip数据。问题是我的数据在kibana中被索引为：

geoip.city_name
geoip.continent_code
geoip.country_code2
geoip.country_code3
geoip.country_name
geoip.dma_code
geoip.ip
geoip.latitude
geoip.location.lat
geoip.location.lon
geoip.longitude
geoip.postal_code
geoip.region_code
geoip.region_name
geoip.timezone

要使用我的数据创建地图，我需要将字段设置为geo_point。我在尝试构建地图时看到的错误是：

No Compatible Fields: The "csv" index pattern does not contain any of the following field types: geo_point

我找到了一些解决方案，我必须将索引从“csv”更改为logstash- *。当我改变我的索引时，我得到了以下错误：

[2017-10-13T11:01:03,653][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-csv", :_type=>"csv", :_routing=>nil}, 2017-10-13T09:01:03.039Z DESKTOP-hh 00.00.00.00,S], :response=>{"index"=>{"_index"=>"logstash-csv", "_type"=>"csv", "_id"=>"AV8UjolNaCIdC3w", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"[geoip.location] is defined as an object in mapping [csv] but this name is already used for a field in other types"}}}}

我无法解决上述错误（如果这是最终解决方案）

版本：

Elec: 5.6.2
Logstash: 5.6.2

conf file：

input {
    file {
        path => "C:\Users\JOEY2\Desktop\Deelproblemen\Applicatie\Output\OutputIPInfo.csv"
        start_position => "beginning"
        sincedb_path => "/dev/null"
    }
}

filter {
    csv {
        separator => ","
        columns => [IP, city, country, region, org, Latitude, Longitude, SpamList, Headers]
    }
    mutate {
        convert =>{
            "Latitude" => "float"
            "Longitude" => "float"
            }
        rename => [ "Latitude", "[location][lat]", "Longitude", "[location][lon]" ]
   }
    geoip { source => "IP" }
}

output {
    elasticsearch {
        action => "index"
        hosts => "http://localhost:9200"
        index => "csv"
        document_type => "csv"
    }
}

映射：

C:\Users\JOEY2\Downloads\curl-7.56.0-win64-ming\curl-7.56.0-win64-mingw\bin>curl -s localhost:9200/logstash-*/_mapping/?pretty
{
  "logstash-csv" : {
    "mappings" : {
      "my_type" : {
        "dynamic" : "true",
        "properties" : {
          "geoip" : {
            "dynamic" : "true",
            "properties" : {
              "location" : {
                "type" : "geo_point"
              }
            }
          }
        }
      }
    }
  }
}

我确实制作了一个我在另一个解决方案中看到的模板：

PUT _template/logstash
{
  "template": "logstash-*", 
  "settings": {
    "number_of_replicas": 1,
    "number_of_shards": 2
  },
  "mappings": {
    "my_type": {
      "dynamic": "true",
      "properties": {
        "geoip": {
          "dynamic": true,
          "properties": {
            "location": {
              "type": "geo_point"
            }}        }     }    }  }}

感觉就像我错过了一些容易但却无法弄清楚它是什么。谢谢！

Answer 1

使用您提到的最后一步时需要小心，因为您可能会覆盖默认模板，并且需要一个正确的顺序，告诉Elasticsearch何时在默认模式之前或之后应用它。

我遇到过这个问题，如果索引以除logstash之外的任何内容开头，你就是对的 - *它会抱怨字段类型geo_point。

curl -XPUT 'localhost:9200/_template/csv' -H 'Content-Type: application/json' -d'
{
    "template": "csv", #this is your index name pattern
    "order": 2, #means apply after the default logstash template
    "settings": {
        #your settings go here
    },

    #add your mapping here
}'

否则唯一有保证的解决方案是让您的索引名称以logstash - *

开头

Answer 2

您不能填写索引的数据类型。但是您可以重新索引。请参阅链接：https://www.elastic.co/guide/en/elasticsearch/reference/5.5/docs-reindex.html

Kibana geoip映射错误|无法改变索引

2 个答案: