- elasticsearch/
elasticsearch 弹性堆栈映射器解析
elasticsearch 弹性堆栈映射器解析
我对动态映射有问题。我有一个字段
messagejsonelasticsearchjsonlogstashif [source] =~ ".*request_response\.json$" {
json{
source => "message"
target => "TestJson"
}
if [payload] =~ /{+/ { // check if it is an object
mutate {
add_field => { "type" => "%{[TestJson][type]}" }
add_field => { "payload" => "%{[TestJson][payload]}" }
}
} # end if payload is an object
mutate {
convert => {
"type" => "string"
"payload" => "string"
} # end convert
} # end mutate
} # end if source is json
} # end filter
output {
elasticsearch {
hosts => "localhost:9201"
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
} # end elasticsearch
messagepayloadpayloaddate对象
我认为,如果消息中的对象不够复杂,就会出现这种错误
我写这篇文章是因为我想从嵌套的json对象生成字段。
如何修复此错误
编辑:
我在elasticsearch
附近的logstash config
中添加了stdout
,并使用命令
journalctl -u logstash.service --since "10 minutes ago" | grep -C 30 'Could not index event'
我在错误旁边得到了这些日志:
Feb 13 15:29:02 f logstash[19144]: [2019-02-13T15:29:02,328][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"filebeat-2019.02.13", :_type=>"doc", :routing=>nil}, #<LogStash::Event:0x4fe8d3ae>], :response=>{"index"=>{"_index"=>"filebeat-2019.02.13", "_type"=>"doc", "_id"=>"Px1C52gBmZ_b74M80KX2", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [TestJson.payload] tried to parse field [payload] as object, but found a concrete value"}}}}
Feb 13 15:29:05 f logstash[19144]: {
Feb 13 15:29:05 f logstash[19144]: "host" => {
Feb 13 15:29:05 f logstash[19144]: "id" => "b",
Feb 13 15:29:05 f logstash[19144]: "name" => "f",
Feb 13 15:29:05 f logstash[19144]: "containerized" => true,
Feb 13 15:29:05 f logstash[19144]: "architecture" => "x86_64",
Feb 13 15:29:05 f logstash[19144]: "os" => {
Feb 13 15:29:05 f logstash[19144]: "family" => "redhat",
Feb 13 15:29:05 f logstash[19144]: "platform" => "centos",
Feb 13 15:29:05 f logstash[19144]: "version" => "7 (Core)",
Feb 13 15:29:05 f logstash[19144]: "codename" => "Core"
Feb 13 15:29:05 f logstash[19144]: }
Feb 13 15:29:05 f logstash[19144]: },
Feb 13 15:29:05 f logstash[19144]: "pid" => "27854",
Feb 13 15:29:05 f logstash[19144]: "beat" => {
Feb 13 15:29:05 f logstash[19144]: "hostname" => "f",
Feb 13 15:29:05 f logstash[19144]: "name" => "f",
Feb 13 15:29:05 f logstash[19144]: "version" => "6.5.3"
Feb 13 15:29:05 f logstash[19144]: },
Feb 13 15:29:05 f logstash[19144]: "message" => "{\"type\":\"Response\",\"payload\":\"2019-02-13T15:29:00.276\"}",
Feb 13 15:29:05 f logstash[19144]: "severity" => "DEBUG",
Feb 13 15:29:05 f logstash[19144]: "parent" => "6fce34dc18cb0e31",
Feb 13 15:29:05 f logstash[19144]: "event" => "",
Feb 13 15:29:05 f logstash[19144]: "span" => "44c9f754c7ca5b58",
Feb 13 15:29:05 f logstash[19144]: "@timestamp" => 2019-02-13T14:29:01.669Z,
Feb 13 15:29:05 f logstash[19144]: "input" => {
Feb 13 15:29:05 f logstash[19144]: "type" => "log"
Feb 13 15:29:05 f logstash[19144]: },
Feb 13 15:29:05 f logstash[19144]: "thread" => "http-nio-9080-exec-54",
Feb 13 15:29:05 f logstash[19144]: "service" => "bi",
--
Feb 13 15:29:05 f logstash[19144]: "@timestamp" => 2019-02-13T14:29:01.669Z,
Feb 13 15:29:05 f logstash[19144]: "service" => "bi",
Feb 13 15:29:05 f logstash[19144]: "prospector" => {
Feb 13 15:29:05 f logstash[19144]: "type" => "log"
Feb 13 15:29:05 f logstash[19144]: },
Feb 13 15:29:05 f logstash[19144]: "thread" => "http-nio-9080-exec-54",
Feb 13 15:29:05 f logstash[19144]: "offset" => 3006421,
Feb 13 15:29:05 f logstash[19144]: "@version" => "1",
Feb 13 15:29:05 f logstash[19144]: "input" => {
Feb 13 15:29:05 f logstash[19144]: "type" => "log"
Feb 13 15:29:05 f logstash[19144]: },
Feb 13 15:29:05 f logstash[19144]: "tags" => [
Feb 13 15:29:05 f logstash[19144]: [0] "beats_input_codec_plain_applied"
Feb 13 15:29:05 f logstash[19144]: ],
Feb 13 15:29:05 f logstash[19144]: "TestJson" => {
Feb 13 15:29:05 f logstash[19144]: "payload" => "",
Feb 13 15:29:05 f logstash[19144]: "url" => "/bi/getTime",
Feb 13 15:29:05 f logstash[19144]: "type" => "Request",
Feb 13 15:29:05 f logstash[19144]: "sessionId" => 476,
Feb 13 15:29:05 f logstash[19144]: "username" => "k",
Feb 13 15:29:05 f logstash[19144]: "lang" => "pl",
Feb 13 15:29:05 f logstash[19144]: "contentType" => "null",
Feb 13 15:29:05 f logstash[19144]: "ipAddress" => "127.0.0.1",
Feb 13 15:29:05 f logstash[19144]: "method" => "POST",
Feb 13 15:29:05 f logstash[19144]: "queryString" => "null"
Feb 13 15:29:05 f logstash[19144]: },
Feb 13 15:29:05 f logstash[19144]: "trace" => "6fce34dc18cb0e31",
Feb 13 15:29:05 f logstash[19144]: "date" => "2019-02-13 15:29:00,277",
Feb 13 15:29:05 f logstash[19144]: "source" => "/opt/tomcat-bo/logs/bi_request_response.json"
Feb 13 15:29:05 f logstash[19144]: }
Feb 13 15:29:05 f logstash[19144]: [2019-02-13T15:29:05,326][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"filebeat-2019.02.13", :_type=>"doc", :routing=>nil}, #<LogStash::Event:0x1812fa5e>], :response=>{"index"=>{"_index"=>"filebeat-2019.02.13", "_type"=>"doc", "_id"=>"Uh1C52gBmZ_b74M83KWr", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [TestJson.payload] tried to parse field [payload] as object, but found a concrete value"}}}}
Feb 13 15:29:02 f logstash[19144]:[2019-02-13T15:29:02328][WARN][logstash.outputs.elasticsearch]无法将事件索引到elasticsearch。{:status=>400,:action=>[“index”],{:_id=>nil,:_index=>“filebeat-2019.02.13”,:_type=>“doc”,:routing=>nil}、#]],:response=>{“index”=>{“index”=>“filebeat-2019.02.13”,“doc type”=>“doc id”=>“Px1C52gBmZ\u b74M80KX2”,“status”=>400,“error”=>“type”=>“type”=>“per-index”=>“per-mapu解析”异常,试图解析对象的原因是什么[payload]作为对象,但找到了一个具体值“}}
2月13日15:29:05罗格斯塔什[19144]:{
2月13日15:29:05 f logstash[19144]:“主机”=>{
2月13日15:29:05 f logstash[19144]:“id”=>“b”,
2月13日15:29:05 f logstash[19144]:“name”=>“f”,
2月13日15:29:05 f logstash[19144]:“集装箱化”=>正确,
2月13日15:29:05 f logstash[19144]:“架构”=>“x86_64”,
2月13日15:29:05 f logstash[19144]:“os”=>{
2月13日15:29:05洛格斯塔什[19144]:“家庭”=>“红帽”,
2月13日15:29:05 f logstash[19144]:“平台”=>“centos”,
2月13日15:29:05 f logstash[19144]:“版本”=>“7(核心)”,
2月13日15:29:05 f logstash[19144]:“代码名”=>“核心”
2月13日15:29:05 f logstash[19144]:}
2月13日15:29:05洛格斯塔什[19144]:},
2月13日15:29:05 f logstash[19144]:“pid”=>“27854”,
2月13日15:29:05罗格斯塔什[19144]:“节拍”=>{
2月13日15:29:05 f logstash[19144]:“主机名”=>“f”,
2月13日15:29:05 f logstash[19144]:“name”=>“f”,
2月13日15:29:05 f logstash[19144]:“版本”=>“6.5.3”
2月13日15:29:05洛格斯塔什[19144]:},
2月13日15:29:05 f logstash[19144]:“消息”=>“{\'type\”:“Response\”,“payload\”:“2019-02-13T15:29:00.276\”,
2月13日15:29:05 f logstash[19144]:“严重性”=>“调试”,
2月13日15:29:05 f logstash[19144]:“父项”=>“6fce34dc18cb0e31”,
2月13日15:29:05 f logstash[19144]:“事件”=>”,
2月13日15:29:05 f logstash[19144]:“span=>“44c9f754c7ca5b58”,
2月13日15:29:05 f logstash[19144]:“@timestamp”=>2019-02-13T14:29:01.669Z,
2月13日15:29:05 f logstash[19144]:“输入”=>{
Feb 13 15:29:05 f logstash[19144]:“type”=>“log”
2月13日15:29:05洛格斯塔什[19144]:},
2月13日15:29:05 f logstash[19144]:“thread”=>“http-nio-9080-exec-54”,
2月13日15:29:05 f logstash[19144]:“服务”=>“bi”,
--
2月13日15:29:05 f logstash[19144]:“@timestamp”=>2019-02-13T14:29:01.669Z,
2月13日15:29:05 f logstash[19144]:“服务”=>“bi”,
2月13日15:29:05 f logstash[19144]:“探矿者”=>{
Feb 13 15:29:05 f logstash[19144]:“type”=>“log”
2月13日15:29:05洛格斯塔什[19144]:},
2月13日15:29:05 f logstash[19144]:“thread”=>“http-nio-9080-exec-54”,
2月13日15:29:05 f logstash[19144]:“偏移量”=>3006421,
2月13日15:29:05 f logstash[19144]:“@version”=>“1”,
2月13日15:29:05 f logstash[19144]:“输入”=>{
Feb 13 15:29:05 f logstash[19144]:“type”=>“log”
2月13日15:29:05洛格斯塔什[19144]:},
2月13日15:29:05 f logstash[19144]:“标签”=>[
2月13日15:29:05 f logstash[19144]:[0]“beats\u input\u codec\u plain\u applicated”
2月13日15:29:05 f logstash[19144]:],
2月13日15:29:05 f logstash[19144]:“TestJson”=>{
2月13日15:29:05 f logstash[19144]:“有效载荷”=>“”,
2月13日15:29:05 f logstash[19144]:“url”=>“/bi/getTime”,
Feb 13 15:29:05 f logstash[19144]:“type”=>“Request”,
2月13日15:29:05 f logstash[19144]:“sessionId”=>476,
2月13日15:29:05 f logstash[19144]:“用户名”=>“k”,
2月13日15:29:05罗格斯塔什[19144]:“朗”=>“pl”,
Feb 13 15:29:05 f logstash[19144]:“contentType”=>“null”,
2月13日15:29:05 f logstash[19144]:“ipAddress”=>“127.0.0.1”,
2月13日15:29:05 f logstash[19144]:“方法”=>“发布”,
Feb 13 15:29:05 f logstash[19144]:“queryString”=>“null”
2月13日15:29:05洛格斯塔什[19144]:},
2月13日15:29:05 f logstash[19144]:“跟踪”=>“6fce34dc18cb0e31”,
2月13日15:29:05罗格斯塔什[19144]:“日期”=>“2019-02-13 15:29:00277”,
2月13日15:29:05 f logstash[19144]:“source”=>“/opt/tomcat bo/logs/bi_request\u response.json”
2月13日15:29:05 f logstash[19144]:}
2月13日15:29:05 f logstash[19144]:[2019-02-13T15:29:05326][WARN][logstash.outputs.elasticsearch]无法将事件索引到elasticsearch。{:状态=>400,:操作=>[“索引”,{:\u id=>nil,:\u索引=>“filebeat-2019.02.13”,:\u类型=>“文档”,:路由=>nil},\35;],:响应=>{“索引”=>“索引”=>“filebeat-2019.13,”,“文档id=>[TestJson.payload]的“Uh1C52gBmZ_b74M83KWr”、“状态”=>400、“错误”=>{“类型”=>“映射程序解析_异常”、“原因”=>“对象映射”试图将字段[payload]解析为对象,但发现一个conc