- elasticsearch/
elasticsearch 日志存储和弹性升级
elasticsearch 日志存储和弹性升级
我在5.1版上有一个功能日志和Elasticsearch 我删除了所有索引,然后升级到6.1 现在,当Logstash从Filebeat(仍然是5.1版)接收到一些事件时,它抛出以下错误:
[2017-12-27T17:29:16,463][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch.
{
:status => 400,
:action => ["index", {:_id=>nil, :_index=>"logstash-2017.12.27", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x34de85bd>],
:response => {
"index" => {
"_index" => "logstash-2017.12.27",
"_type" => "doc",
"_id" => nil,
"status" => 400,
"error" => {
"type" => "mapper_parsing_exception",
"reason" => "Failed to parse mapping [_default_]: [include_in_all] is not allowed for indices created on or after version 6.0.0 as [_all] is deprecated. As a replacement, you can use an [copy_to] on mapping fields to create your own catch all field.",
"caused_by" => {
"type" => "mapper_parsing_exception",
"reason" => "[include_in_all] is not allowed for indices created on or after version 6.0.0 as [_all] is deprecated. As a replacement, you can use an [copy_to] on mapping fields to create your own catch all field."
}
}
}
}
}
include_in_all你能把你的模板/映射粘贴到这里吗?这个答案只是对@alexanderlz所说的内容进行扩展。在kibana的DevTools页面中,我运行了以下命令:
GET /_template/
DELETE /_template/logstash
完成后,重新启动logstash,它将重新安装一个新的、正确的模板。非常感谢您的深入了解,它现在工作正常。我的工作方式是删除这些字段,或者简单地删除模板,让新的日志隐藏起来,然后再次创建它。总的来说,这再次证明了阅读主要版本的更改日志是值得的。@Navarro-如何删除模板?kibana中的DevTools页面非常有用。这种方法也解决了我的问题。做得好!
"logstash": {
"order": 0,
"version": 60001,
"index_patterns": [
"logstash-*"
],
DELETE /_template/logstash