我正在运行ElasticSearch 6.2.4。我试图创建Filebeat索引模板,但得到以下错误
{
"error" : {
"root_cause" : [
{
"type" : "mapper_parsing_exception",
"reason" : "No handler for type [string] declared on field [message]"
}
],
"type" : "mapper_parsing_exception",
"reason" : "Failed to parse mapping [_default_]: No handler for type [string] declared on field [message]",
"caused_by" : {
"type" : "mapper_parsing_exception",
"reason" : "No handler for type [string] declared on field [message]"
}
},
"status" : 400
}
filebeat-index.template.json
{
"mappings": {
"_default_": {
"_all": {
"enabled": true,
"norms": {
"enabled": false
}
},
"dynamic_templates": [
{
"template1": {
"mapping": {
"doc_values": true,
"ignore_above": 1024,
"index": "not_analyzed",
"type": "{dynamic_type}"
},
"match": "*"
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"message": {
"type": "string",
"index": "analyzed"
},
"offset": {
"type": "long",
"doc_values": "true"
},
"geoip" : {
"type" : "object",
"dynamic": true,
"properties" : {
"location" : { "type" : "geo_point" }
}
}
}
}
},
"settings": {
"index.refresh_interval": "5s"
},
"template": "filebeat-*"
}
我想知道是否有适用于ElasticSearch 6.2.4的官方 filebeat-index-template.json
filebeat -c "/etc/filebeat/filebeat.yml" export template > filebeat.template.json,但filebeat会一直运行而不会创建任何内容。"type": "string"更改为"type": "text",,但又遗漏了_all的错误。_all,但当Logstash将数据发送到ElasticSearch时,ElasticSearch会一直有解析错误。 我也试图找出我的Filebeat的版本。我试过了
> filebeat -v
Loading config file error: Failed to read /root/filebeat.yml: open /root/filebeat.yml: no such file or directory. Exiting.
> filebeat -v -c "/etc/filebeat/filebeat.yml"
(it struck forever)
我正在关注此https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elk-stack-on-ubuntu-14-04,但我没有使用ElasticSearch 2.0和Kibana 4.5,而是安装ElasticSearch 6.2.4,Kibana 6.2.4和Logstash 6.2.4以及Ubuntu 16.04.4 LTS
现在我将Filebeat升级到6.2.4。现在我收到了这个错误
Exiting: Could not start registrar: Error loading state: Error decoding states: json: cannot unmarshal object into Go value of type []file.State
我通过rm /var/lib/filebeat/registry删除了此错误。现在我可以做filebeat export template > template.json,现在它工作正常。我很快就会结束这个问题。
答案 0 :(得分:1)
尝试对 filebeat-index.template.json
使用经过弹性6.0修改的json{
"mappings": {
"_default_": {
"dynamic_templates": [
{
"template1": {
"mapping": {
"doc_values": true,
"ignore_above": 1024,
"index": "false",
"type": "{dynamic_type}"
},
"match": "*"
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"message": {
"type": "text",
"index": "true"
},
"offset": {
"type": "long",
"doc_values": "true"
},
"geoip": {
"type": "object",
"dynamic": true,
"properties": {
"location": {
"type": "geo_point"
}
}
}
}
}
},
"settings": {
"index.refresh_interval": "5s"
},
"template": "filebeat-*"
}
基本上,我将邮件类型从 string 更改为 text 。同样从弹性6.0开始,索引字段使用 true 或 false ,而不是 已分析 。
运行此命令后(如您在blog中所建议的那样):
curl -XPUT 'http://localhost:9200/_template/filebeat?pretty' -d@filebeat-index-template.json -H 'Content-Type: application/json'
我设法从Elastic那里得到了正确的确认:
{
"acknowledged" : true
}
我尚未对其进行测试,但是请告诉我它是否适合您。
您可能会注意到, _all 模板也已从原始json中删除。为什么?显然是depreciated in elastic 6.0,并且有here中建议的使用 copy_to 的方法,但我还没有弄清楚。
答案 1 :(得分:0)
生成模板时,您应该能够使用--es.version 6.2.4,以使其为您的Elasticsearch版本输出适当的映射。
查看有关Load the template manually (alternate method)的说明。他们为Windows显示了以下示例,但它也可以在Linux中工作。
PS > .\filebeat.exe export template --es.version 6.6.2 | Out-File -Encoding UTF8 filebeat.template.json