ElasticSearch 6.2.4的filebeat-index-template.json
[英]filebeat-index-template.json for ElasticSearch 6.2.4
问题描述
I am running ElasticSearch 6.2.4. 
我正在运行ElasticSearch 6.2.4。 I tried to create Filebeat index template, but got the following error 我试图创建Filebeat索引模板,但得到以下错误
{
"error" : {
"root_cause" : [
{
"type" : "mapper_parsing_exception",
"reason" : "No handler for type [string] declared on field [message]"
}
],
"type" : "mapper_parsing_exception",
"reason" : "Failed to parse mapping [_default_]: No handler for type [string] declared on field [message]",
"caused_by" : {
"type" : "mapper_parsing_exception",
"reason" : "No handler for type [string] declared on field [message]"
}
},
"status" : 400
}
filebeat-index.template.json filebeat-index.template.json
{
"mappings": {
"_default_": {
"_all": {
"enabled": true,
"norms": {
"enabled": false
}
},
"dynamic_templates": [
{
"template1": {
"mapping": {
"doc_values": true,
"ignore_above": 1024,
"index": "not_analyzed",
"type": "{dynamic_type}"
},
"match": "*"
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"message": {
"type": "string",
"index": "analyzed"
},
"offset": {
"type": "long",
"doc_values": "true"
},
"geoip" : {
"type" : "object",
"dynamic": true,
"properties" : {
"location" : { "type" : "geo_point" }
}
}
}
}
},
"settings": {
"index.refresh_interval": "5s"
},
"template": "filebeat-*"
}
I wonder if there is official filebeat-index-template.json that work for ElasticSearch 6.2.4 我想知道是否有适用于ElasticSearch 6.2.4的官方filebeat-index-template.json
Other thing that I have tried 我试过的其他事情
- Try
filebeat -c "/etc/filebeat/filebeat.yml" export template > filebeat.template.json, but the filebeat will keep running forever without creating anything.尝试使用filebeat -c "/etc/filebeat/filebeat.yml" export template > filebeat.template.json,但filebeat将继续运行而不创建任何内容。 - I've tried to change
"type": "string"to"type": "text",, but got another error where_allis deprecated.我试图将"type": "string"更改为"type": "text",,但是在_all被弃用的情况下又出现了另一个错误。 - I've also tried to remove
_all, but ElasticSearch keep have parsing error when Logstash send data to ElasticSearch.我也尝试删除_all,但是当Logstash将数据发送到ElasticSearch时,ElasticSearch会继续解析错误。
Filebeat Version [Old] Filebeat版本[旧]
I also try to find out the version of my Filebeat. 我也试图找出我的Filebeat的版本。 I tried 我试过了
> filebeat -v
Loading config file error: Failed to read /root/filebeat.yml: open /root/filebeat.yml: no such file or directory. Exiting.
> filebeat -v -c "/etc/filebeat/filebeat.yml"
(it struck forever)
I am following this https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elk-stack-on-ubuntu-14-04 , but instead of using ElasticSearch 2.0 and Kibana 4.5, I am installing ElasticSearch 6.2.4, Kibana 6.2.4, and Logstash 6.2.4 and Ubuntu 16.04.4 LTS 我正在关注此https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elk-stack-on-ubuntu-14-04 ,但不是使用ElasticSearch 2.0和Kibana 4.5,我正在安装ElasticSearch 6.2.4,Kibana 6.2.4,以及Logstash 6.2.4和Ubuntu 16.04.4 LTS
Upgrading to Filebeat 6.2.4 升级到Filebeat 6.2.4
Now I am upgrading Filebeat to 6.2.4. 现在我将Filebeat升级到6.2.4。 Now I get this error 现在我收到了这个错误
Exiting: Could not start registrar: Error loading state: Error decoding states: json: cannot unmarshal object into Go value of type []file.State
I removed this error by rm /var/lib/filebeat/registry . 我通过rm /var/lib/filebeat/registry删除了此错误。 Now I can do filebeat export template > template.json and it work fine now. 现在我可以做filebeat export template > template.json ,它现在工作正常。 I will close the question soon. 我很快就会结束这个问题。
2 个解决方案
解决方案1
1 2018-08-07 22:56:14
Try to use this elastic 6.0 modified json for filebeat-index.template.json 尝试将此弹性6.0修改过的json用于filebeat-index.template.json
{
"mappings": {
"_default_": {
"dynamic_templates": [
{
"template1": {
"mapping": {
"doc_values": true,
"ignore_above": 1024,
"index": "false",
"type": "{dynamic_type}"
},
"match": "*"
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"message": {
"type": "text",
"index": "true"
},
"offset": {
"type": "long",
"doc_values": "true"
},
"geoip": {
"type": "object",
"dynamic": true,
"properties": {
"location": {
"type": "geo_point"
}
}
}
}
}
},
"settings": {
"index.refresh_interval": "5s"
},
"template": "filebeat-*"
}
Basically I changed the message type from string to text . 基本上我将消息类型从字符串更改为文本 。 Also from elastic 6.0 onwards the index field uses true or false , instead of analyzed . 同样从弹性6.0开始,索引字段使用true或false ,而不是分析 。
After running this command (as suggested in the blog you are referring to above): 运行此命令后(如上所述的博客中所示):
curl -XPUT 'http://localhost:9200/_template/filebeat?pretty' -d@filebeat-index-template.json -H 'Content-Type: application/json'
I managed to get the correct confirmation from elastic: 我设法从弹性中得到了正确的确认:
{
"acknowledged" : true
}
I haven't tested it yet, but please let me know if it works for you. 我还没有测试过,但请告诉我它是否适合您。
You will probably notice that the _all template is also removed from the original json. 您可能会注意到_all模板也从原始json中删除。 Why? 为什么? Apparently it was depreciated in elastic 6.0 and there are ways to use copy_to instead as suggested in here but I haven't figured it out yet. 显然它在弹性6.0中被折旧,并且有很多方法可以使用copy_to而不是像这里所建议的那样,但我还没有想出来。
解决方案2
0 2019-03-13 19:35:01
You should be able to use --es.version 6.2.4 when you generate the template to have it output the appropriate mappings for your version of elasticsearch. 您应该能够在生成模板时使用--es.version 6.2.4 ,以便为您的--es.version 6.2.4版本输出适当的映射。
Check out the instructions for Load the template manually (alternate method) . 查看手动加载模板的说明(备用方法) 。 They show the following example for windows but it may work in linux too. 他们为windows显示以下示例,但它也可以在linux中运行。
PS > .\filebeat.exe export template --es.version 6.6.2 | Out-File -Encoding UTF8 filebeat.template.json
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.