Logstash + Elasticsearch模板映射無法添加到Elasticsearch

Question

我正在嘗試為elasticsearch中的所有logstash索引添加自定義模板，但是，每當我添加一個自定義模板時，logstash都會在所有日志上引發400錯誤，並且無法向elasticsearch添加任何內容。

我正在使用用於Elasticsearch的REST API添加模板：

POST _template/logstash

{
    "order": 0,
    "template" : "logstash*",
    "settings": {
        "index.refresh_interval": "5s"
    },
    "mappings": {
        "_default_": {
            "_all" : {
                "enabled" : true,
                "omit_norms": true
            },
            "dynamic_templates": [
                {
                    "message_field": {
                        "mapping": {
                            "index": "analyzed",
                            "omit_norms": true,
                            "type": "string"
                        },
                        "match_mapping_type": "string",
                        "match": "message"
                    }
                },
                {
                    "string_fields": {
                        "mapping": {
                            "index": "analyzed",
                            "omit_norms": true,
                            "type": "string",
                            "fields": {
                                "raw": {
                                    "ignore_above": 256,
                                    "index": "not_analyzed",
                                    "type": "string"
                                }
                            }
                        },
                        "match_mapping_type": "string",
                        "match": "*"
                    }
                }
            ],
            "properties": {
                "geoip": {
                    "dynamic": true,
                    "type": "object",
                    "properties": {
                        "location": {
                            "type": "geo_point"
                        }
                    }
                },
                "@version": {
                    "index": "not_analyzed",
                    "type": "string"
                },
                "@fields": {
                    "type": "object",
                    "dynamic": true,
                    "path": "full"
                },
                "@message": {
                    "type": "string",
                    "index": "analyzed"
                },
                "@source": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "method": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "requested": {
                    "type": "date",
                    "format": "dateOptionalTime",
                    "index": "not_analyzed"
                },
                "response_time": {
                    "type": "float",
                    "index": "not_analyzed"
                },
                "hostname": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "ip": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "error": {
                    "type": "string",
                    "index": "not_analyzed"
                }
            }
        }
    }
}

Answer 1

您應該嘗試使用logstash添加模板，而不是直接使用rest api。 在您的logstash配置中：

output {
  elasticsearch {
    # add additional configurations appropriately
    template => # path to the template file you want to use
    template_name => "logstash"
    template_overwrite => true
  }
}