Logstash + Elasticsearch模板映射无法添加到Elasticsearch

Question

I'm trying to add a custom template for all logstash indexes in elasticsearch, however whenever I add one, logstash raises a 400 error on all the logs and fails to add anything to elasticsearch.

I'm adding the template using the REST API for elasticsearch:

POST _template/logstash

{
    "order": 0,
    "template" : "logstash*",
    "settings": {
        "index.refresh_interval": "5s"
    },
    "mappings": {
        "_default_": {
            "_all" : {
                "enabled" : true,
                "omit_norms": true
            },
            "dynamic_templates": [
                {
                    "message_field": {
                        "mapping": {
                            "index": "analyzed",
                            "omit_norms": true,
                            "type": "string"
                        },
                        "match_mapping_type": "string",
                        "match": "message"
                    }
                },
                {
                    "string_fields": {
                        "mapping": {
                            "index": "analyzed",
                            "omit_norms": true,
                            "type": "string",
                            "fields": {
                                "raw": {
                                    "ignore_above": 256,
                                    "index": "not_analyzed",
                                    "type": "string"
                                }
                            }
                        },
                        "match_mapping_type": "string",
                        "match": "*"
                    }
                }
            ],
            "properties": {
                "geoip": {
                    "dynamic": true,
                    "type": "object",
                    "properties": {
                        "location": {
                            "type": "geo_point"
                        }
                    }
                },
                "@version": {
                    "index": "not_analyzed",
                    "type": "string"
                },
                "@fields": {
                    "type": "object",
                    "dynamic": true,
                    "path": "full"
                },
                "@message": {
                    "type": "string",
                    "index": "analyzed"
                },
                "@source": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "method": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "requested": {
                    "type": "date",
                    "format": "dateOptionalTime",
                    "index": "not_analyzed"
                },
                "response_time": {
                    "type": "float",
                    "index": "not_analyzed"
                },
                "hostname": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "ip": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "error": {
                    "type": "string",
                    "index": "not_analyzed"
                }
            }
        }
    }
}

Answer 1

you should try to add the template using logstash instead of using the rest api directly. In your logstash configuration:

output {
  elasticsearch {
    # add additional configurations appropriately
    template => # path to the template file you want to use
    template_name => "logstash"
    template_overwrite => true
  }
}