我在版本5.1上有一个功能正常的Logstash和Elasticsearch。
我删除了所有索引,然后升级到6.1。
现在,当Logstash从Filebeat(仍然是版本5.1)收到一些事件时,它会抛出此错误:
[2017-12-27T17:29:16,463][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch.
{
:status => 400,
:action => ["index", {:_id=>nil, :_index=>"logstash-2017.12.27", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x34de85bd>],
:response => {
"index" => {
"_index" => "logstash-2017.12.27",
"_type" => "doc",
"_id" => nil,
"status" => 400,
"error" => {
"type" => "mapper_parsing_exception",
"reason" => "Failed to parse mapping [_default_]: [include_in_all] is not allowed for indices created on or after version 6.0.0 as [_all] is deprecated. As a replacement, you can use an [copy_to] on mapping fields to create your own catch all field.",
"caused_by" => {
"type" => "mapper_parsing_exception",
"reason" => "[include_in_all] is not allowed for indices created on or after version 6.0.0 as [_all] is deprecated. As a replacement, you can use an [copy_to] on mapping fields to create your own catch all field."
}
}
}
}
}
我甚至尝试使用极其简单的管道,如下所示:
input {
beats {
port => 5044
}
}
filter {
json {
source => "message"
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
}
然而,它一遍又一遍地抛出这个错误。
知道这里有什么不妥吗?
答案 0 :(得分:2)
这个答案只是扩展@alexanderlz所说的内容。从kibana的DevTools页面我运行了这个:
GET /_template/
列出所有模板
这是我们需要删除/修改的模板(部分):
"logstash": {
"order": 0,
"version": 60001,
"index_patterns": [
"logstash-*"
],
然后运行
DELETE /_template/logstash
完成后重启logstash,它将重新安装一个新的,正确的模板。
答案 1 :(得分:1)
看看changes in mapping, introduced in elasticsearch 6.0
您需要从索引模板中删除include_in_all映射参数。
你可以在这里粘贴模板/贴图吗?