Fatal编程技术网
  • logstash/
  • Logstash Kibana geoip映射错误|无法更改索引

Logstash Kibana geoip映射错误|无法更改索引

logstash kibana

Logstash Kibana geoip映射错误|无法更改索引,logstash,kibana,Logstash,Kibana,我让kibana为我的geoip数据编制索引。问题是我的数据在kibana中被索引为: geoip.city_name geoip.continent_code geoip.country_code2 geoip.country_code3 geoip.country_name geoip.dma_code geoip.ip geoip.latitude geoip.location.lat geoip.location.lon geoip.longitude geoip.postal_code

我让kibana为我的geoip数据编制索引。问题是我的数据在kibana中被索引为:

geoip.city_name
geoip.continent_code
geoip.country_code2
geoip.country_code3
geoip.country_name
geoip.dma_code
geoip.ip
geoip.latitude
geoip.location.lat
geoip.location.lon
geoip.longitude
geoip.postal_code
geoip.region_code
geoip.region_name
geoip.timezone
要用我的数据制作一张地图,我需要字段是geo_点。我在尝试构建地图时看到的错误是:

No Compatible Fields: The "csv" index pattern does not contain any of the following field types: geo_point
我找到了一些解决方案,我必须将索引从“csv”更改为带有logstash-*的内容。当我改变索引时,我得到 以下错误:

[2017-10-13T11:01:03,653][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-csv", :_type=>"csv", :_routing=>nil}, 2017-10-13T09:01:03.039Z DESKTOP-hh 00.00.00.00,S], :response=>{"index"=>{"_index"=>"logstash-csv", "_type"=>"csv", "_id"=>"AV8UjolNaCIdC3w", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"[geoip.location] is defined as an object in mapping [csv] but this name is already used for a field in other types"}}}}
我无法修复上述错误(如果这是最终解决方案)

版本:

Elec: 5.6.2
Logstash: 5.6.2
配置文件:

input {
    file {
        path => "C:\Users\JOEY2\Desktop\Deelproblemen\Applicatie\Output\OutputIPInfo.csv"
        start_position => "beginning"
        sincedb_path => "/dev/null"
    }
}

filter {
    csv {
        separator => ","
        columns => [IP, city, country, region, org, Latitude, Longitude, SpamList, Headers]
    }
    mutate {
        convert =>{
            "Latitude" => "float"
            "Longitude" => "float"
            }
        rename => [ "Latitude", "[location][lat]", "Longitude", "[location][lon]" ]
   }
    geoip { source => "IP" }
}

output {
    elasticsearch {
        action => "index"
        hosts => "http://localhost:9200"
        index => "csv"
        document_type => "csv"
    }
}
映射:

C:\Users\JOEY2\Downloads\curl-7.56.0-win64-ming\curl-7.56.0-win64-mingw\bin>curl -s localhost:9200/logstash-*/_mapping/?pretty
{
  "logstash-csv" : {
    "mappings" : {
      "my_type" : {
        "dynamic" : "true",
        "properties" : {
          "geoip" : {
            "dynamic" : "true",
            "properties" : {
              "location" : {
                "type" : "geo_point"
              }
            }
          }
        }
      }
    }
  }
}
我确实制作了一个模板,我在另一个解决方案中看到:

PUT _template/logstash
{
  "template": "logstash-*", 
  "settings": {
    "number_of_replicas": 1,
    "number_of_shards": 2
  },
  "mappings": {
    "my_type": {
      "dynamic": "true",
      "properties": {
        "geoip": {
          "dynamic": true,
          "properties": {
            "location": {
              "type": "geo_point"
            }}        }     }    }  }}
感觉好像我错过了一些简单的事情,但却不知道是什么。
谢谢

不能更改索引的数据类型。但可以重新索引。
请参阅链接:

在使用您提到的最后一个步骤时,您需要小心,因为您可能会覆盖默认模板,并且您需要一个正确的顺序,告诉Elasticsearch何时在默认模板之前或之后应用它

我遇到过这个问题,如果索引以logstash以外的任何内容开头,您是对的-*它会抱怨字段类型geo_point

curl -XPUT 'localhost:9200/_template/csv' -H 'Content-Type: application/json' -d'
{
    "template": "csv", #this is your index name pattern
    "order": 2, #means apply after the default logstash template
    "settings": {
        #your settings go here
    },

    #add your mapping here
}'
否则,唯一有保证的解决方案是将索引名以logstash开头-*