跟着我上一个问题:ElasticSearch overriding mapping from text to object
我有一个索引模板:
{
"template" : "project.*",
"order" : 100,
"dynamic_templates": [
{
"message_field": {
"mapping": {
"type": "object"
},
"match": "message"
},
"message_properties": {
"path_match": "message.*",
"mapping": {
"type": "string",
"index": "not_analyzed"
}
}
}
]
}
基本上为“消息”字段下的所有内容创建新字段。我这样做是因为“消息”字段在另一个索引模板中被映射为字符串,所以我将其覆盖。
示例文档:
{
"level": "30",
...
"kubernetes": {
"container_name": "data-sync-server",
"namespace_name": "alitest03",
...
},
"message": {
"tag": "AUDIT",
"requestId": 1234,
...
},
}
...
}
这很好用,但是最终创建了诸如“ tag”和“ requestId”之类的顶级字段。 我不想污染最高级别,希望拥有诸如“ audit.tag”,“ audit.requestId”之类的字段。
使用copy_to进行了这样的尝试,但是我没有看到任何“ audit。*”字段:
{
"template" : "project.*",
"order" : 100,
"dynamic_templates": [
{
"message_field": {
"mapping": {
"type": "object"
},
"match": "message"
},
"message_properties": {
"path_match": "message.*",
"mapping": {
"type": "string",
"index": "not_analyzed",
"copy_to" : "audit.{name}"
}
}
}
]
}
下面是将上面的模板与copy_to一起使用时的示例搜索结果。我没有看到任何“ audit。*”字段。
{
"timestamp": "October 15th 2018, 15:46:15.994",
"_id": "YmI1NDRjMTgtZTY3Ni00ZGUxLTk2NDMtOTJhZjk3ZWU1YTJj",
"_index": "project.alitestproj02.aa564e69-c643-11e8-af2a-fa163e4c9c9e.2018.10.15",
"_score": "",
"_type": "com.redhat.viaq.common",
...
"kubernetes.container_name": "data-sync-server",
"kubernetes.namespace_name": "alitestproj02",
...
"message": "{\"level\":30,\"time\":1539607575994,\"pid\":19,\"hostname\":\"data-sync-server-6-pxcsm\",\"tag\":\"AUDIT\",\"msg\":\"\",\"requestId\":20355,\"operationType\":\"query\",\"parentTypeName\":\"Meme\",\"path\":\"allMemes.866.owner\",\"success\":true,\"parent\":{\"_type\":\"meme\",\"photourl\":\"photo472\",\"owner\":\"owner35\",\"likes\":0,\"_id\":\"zzEnLAQmQeuTC1mj\",\"createdAt\":\"2018-10-15T11:58:33.896Z\",\"updatedAt\":\"2018-10-15T11:58:33.896Z\",\"id\":\"zzEnLAQmQeuTC1mj\"},\"arguments\":{},\"dataSourceType\":\"InMemory\",\"v\":1}\n",
"requestId": "20355",
"tag": "AUDIT",
...
"v": 1
}