- elasticsearch/
elasticsearch 如何使用/映射Kibana索引中的字段“geoip.locations”,该索引正在查找类型“geo_point”?
elasticsearch 如何使用/映射Kibana索引中的字段“geoip.locations”,该索引正在查找类型“geo_point”?
我有一个日志,它从一个名为“message”的已解析json字段返回一个名为“ip”的字段 我已将logstash.conf文件设置为:
filter {
json {
source => "message"
}
geoip {
source => "ip"
target => "geoip"
#add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
#add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
#mutate {
# convert => [ "[geoip][coordinates]", "float"]
#}
}
The "myindex*" index pattern does not contain any of the following field types: geo_point
{
"<my index>": {
"mappings": {
"%{[@metadata][type]}": {
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"host": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"message": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"type": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"tracking log": {
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"accept_language": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"agent": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"beat": {
"properties": {
"hostname": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"version": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"context": {
"properties": {
"course_id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"course_user_tags": {
"type": "object"
},
"org_id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"path": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"user_id": {
"type": "long"
}
}
},
"event": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"event_source": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"event_type": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"geoip": {
"properties": {
"city_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"continent_code": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"coordinates": {
"type": "float"
},
"country_code2": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"country_code3": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"country_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"dma_code": {
"type": "long"
},
"ip": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"latitude": {
"type": "float"
},
"location": {
"type": "float"
},
"longitude": {
"type": "float"
},
"postal_code": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"region_code": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"region_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"timezone": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"host": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"input_type": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ip": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"message": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"offset": {
"type": "long"
},
"page": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"referer": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"session": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"source": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"tags": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"time": {
"type": "date"
},
"type": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"username": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
}
}
curl -XPOST -u elastic 'localhost:9200/_template/<my index>' -H 'Content-Type: application/json' -d'
{"order": 0, "template": "<my index>*","mappings": {"_default_": {"dynamic_templates": [{"location_fields": {"mapping": {"type": "geo_point"},"match": "geoip"}}]}}}
'
POST /_template/myindex
{
"order": 0,
"template": "myindex*",
"mappings": {
"_default_": {
"dynamic_templates": [
{
"location_fields": {
"mapping": {
"type": "geo_point"
},
"match": "location"
}
}
]
}
}
}
在任何情况下,您都需要重新索引数据以获得正确的映射,然后告诉kibana在设置下重新加载索引映射。好-我在@Alcanzar的帮助下解决了这个问题。显然,正如他所说的,一旦数据被发送到字段,就不可能更改字段的类型——基本上,一旦您启动了日志存储并开始使用它 所以-要将geoip.location映射为键入geo_point-这里是我所做的: 步骤: 我停止了罗格斯塔什 2使用“删除”删除了我的索引/ 3在Kibana开发控制台中使用“PUT/”创建了一个具有我想要的名称的新索引 4使用“geoip.location”而不是“location”应用了上述Alcanzar提供的映射 5.重新启动日志存储 现在geoip.location是geo_point类型
很明显,对于一些经验丰富的ES用户来说,这些是需要采取的步骤,但对我来说并非如此。我希望这对其他人有帮助。好的,我做到了。/_上的curl模板显示它在那里,但是/_上的curl映射没有显示它。我哪里出错了?我现在索引中有所有大地水准面字段,但没有一个映射到geo_point。模板仅在创建索引时应用,并且无法更改现有字段的映射。所以你需要删除索引并重新索引你的数据。仍然出现此错误:没有兼容的字段:*索引模式不包含以下任何字段类型:geo_point您可以共享实际的/myindex/_映射以确保字段的名称正确且存在吗?在最近的编辑中共享。它是否像重新启动ES服务一样简单?还是我把邮件弄坏了?