我不明白为什么它不起作用。我试图按sort.field对索引进行排序:" @ timestamp"并且它说"未知索引排序字段:[@ timestamp]。
我也尝试过使用" timestamp"和另一个类型" date"但仍然没有成功。使用字段类型" ip"给出了同样的错误。
这里出现错误信息:
[2018-06-05T01:45:32,102][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"xxx-logstash-2018.06.05", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x43ff9351>], :response=>{"index"=>{"_index"=>"xxx-logstash-2018.06.05", "_type"=>"doc", "_id"=>nil, "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"unknown index sort field:[@timestamp]"}}}}
这里是字段映射:
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"log_date": {
"type": "date"
},
"@version": {
"type": "keyword"
},
"geoip": {
"dynamic": true,
"properties": {
"ip": {
"type": "ip"
},
"location": {
"type": "geo_point"
},
"latitude": {
"type": "half_float"
},
"longitude": {
"type": "half_float"
}
}
}
}
这里是索引模板设置:
"settings": {
"index": {
"codec": "best_compression",
"refresh_interval": "30s",
"sort": {
"field": "@timestamp",
"order": "desc"
},
"store": {
"type": "niofs"
},
"number_of_shards": "3",
"number_of_replicas": "1"
}
},