- elasticsearch/
elasticsearch logstash geoip.location映射到geo_点不工作
elasticsearch logstash geoip.location映射到geo_点不工作
我可以在默认映射中看到geoip.location映射到geo_点类型:
GET myserver:9200/_template
{
"logstash": {
"order": 0,
"version": 50001,
"template": "logstash-*",
"settings": {
"index": {
"refresh_interval": "5s"
}
},
"mappings": {
"_default_": {
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"mapping": {
"norms": false,
"type": "text"
},
"match_mapping_type": "string"
}
},
{
"string_fields": {
"mapping": {
"norms": false,
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"match_mapping_type": "string",
"match": "*"
}
}
],
"_all": {
"norms": false,
"enabled": true
},
"properties": {
"@timestamp": {
"include_in_all": false,
"type": "date"
},
"geoip": {
"dynamic": true,
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
},
"@version": {
"include_in_all": false,
"type": "keyword"
}
}
}
},
"aliases": {}
}
}
geoip {
source => "myField"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
geoip{source=>“myfield”}geoip {
source => "myfield"
add_field => [ "[geoip][location]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][location]", "%{[geoip][latitude]}" ]
}
您可能只是有一个输入错误(第1点),但还包括一些其他需要注意的事项
geoip.coordinates\u映射中使用geoip.location
convert=>[“[geoip][coordinates]”和“float”]地理点将我的索引名更改为logstash myindex有效。输入错误在哪里?一个地方有坐标,另一个地方有位置。第2点也同样适用于我正在测试的所有注释,如果映射在默认情况下已经正确设置,可能我只需要geoip{source=>“myField”},其他什么都不需要--
geoip[geoip][location]地理点的类型。只要删除索引并重新创建它,所有这些都应该可以工作。(所以去掉你的mutate
和add_字段
s)第4点对我来说就像一个符咒。除了那一步,我每一步都在做!非常感谢。请详细介绍一下这个解决方案:一个名为“logstash”的默认“遗留索引模板”正在使用这个技巧(至少现在是这样)。它用于索引模式“logstash-*”。这就是改名起作用的原因。您可以在“堆栈管理/索引管理/索引模板”中找到模板(通常www.your-es-server.com/app/Management/data/Index\u Management/Templates
)