- elasticsearch/
elasticsearch ElasticSearch/Logstash:动态映射错误
elasticsearch ElasticSearch/Logstash:动态映射错误
我已经安装了ES集群和Logstash。 我有很多信息的输入类型。现在我对Gelf输入类型有问题。我需要将ES中的所有字段存储为字符串,但如果我在gelf“message”字段中有json,ES将从此json创建新的映射。我不想要它,我尝试了很多变体来禁用“message”字段的动态映射。 日志存储模板配置:
{
"mappings":{
"_default_":{
"_all":{
"enabled":false
},
"_source":{
"enabled":true,
"compress":true
},
"dynamic_templates":[
{
"message_template":{
"mapping":{
"index":"not_analyzed",
"type":"string"
},
"match":"message",
"match_mapping_type":"string"
},
"string_template":{
"mapping":{
"index":"not_analyzed",
"type":"string"
},
"match":"*",
"match_mapping_type":"string"
}
}
],
"properties":{
"@version":{
"index":"not_analyzed",
"type":"long"
},
"@timestamp":{
"type":"date",
"format":"dateOptionalTime"
},
"message":{
"type":"string",
"index":"not_analyzed",
"dynamic":false
}
}
}
},
"settings":{
"index.translog.flush_threshold_ops":50000,
"index.translog.flush_threshold_size":1073741824,
"refresh_interval":30,
"number_of_replicas":0,
"number_of_shards":1
},
"template":"gelf-*"
}
output {
if [type] == "gelf" {
elasticsearch {
index => 'logstash-%{+YYYY.MM.dd}'
protocol => http
template_name => 'logstash-*'
workers => 4
template_overwrite => true
template => '/etc/logstash/index-template.json'
}
} else {
elasticsearch {
index => 'logstash-%{+YYYY.MM.dd}'
protocol => http
template_name => 'gelf-*'
workers => 4
template_overwrite => true
template => '/etc/logstash/gelf-template.json'
}
}
}