ElasticSearch - 无法获取映射
ElasticSearch - Unable to fetch mapping
我已经设置了一个 ELK 堆栈来索引我的 Akamai 日志。我在 Logstash 中创建了一个 conf 文件,并在加载 Logstash 时加载它。我的日志文件只是显示
Pipeline main started
但是,我无法在 Kibana 中创建索引。我看到消息
Unable to fetch mapping
我通过调试器 运行 我的 grok 语句,似乎我捕获了所有内容。这是我的配置:
input {
file {
path => "C:\Akamai_Logs\US\*"
start_position => "beginning"
}
}
filter {
grok {
match => ["message", "%{DATE:date} %{TIME:time} %{IP:client} %{WORD:method} %{URIPATH:URI} %{NUMBER:status} %{NUMBER:bytes} %{NUMBER:time_taken} %{NOTSPACE:refererr} %{QS:user_agent} %{GREEDYDATA:cookie}"]
}
}
output {
stdout {codec => rubydebug}
elasticsearch {
hosts => ["localhost:9200"]
}
}
这是来自其中一个日志的示例行
2016-06-14 14:03:42 1.1.1.1 GET /origin-uri 200 26222 0 "referrer" "user agent" "cookie string"
日志文件中的空格是否会导致索引出现任何问题?我只是错过了其他东西吗?
编辑:忘记添加我的 Logstash 模板
{
"template": "logstash-*",
"settings" : {
"number_of_shards" : 1,
"number_of_replicas" : 0,
"index" : {
"query" : { "default_field" : "@message" },
"store" : { "compress" : { "stored" : true, "tv": true } }
}
},
"mappings": {
"_default_": {
"_all": { "enabled": false },
"_source": { "compress": true },
"dynamic_templates": [
{
"string_template" : {
"match" : "*",
"mapping": { "type": "string", "index": "not_analyzed" },
"match_mapping_type" : "string"
}
}
],
"properties" : {
"@date": { "type": "date", "format": "yyyy-MM-dd" },
"@time": { "type": "time", "format": "hh:mm:ss" },
"@hostip": {"type": "string","index" : "not_analyzed"},
"@method": {"type": "string","index" : "not_analyzed"},
"@page": {"type": "string","index" : "not_analyzed"},
"@status": {"type": "integer"},
"@bytes": {"type": "integer"},
"@timetaken": {"type": "integer"},
"@referrer": {"type": "string","index" : "not_analyzed"},
"@useragent": {"type": "string","index" : "not_analyzed"},
"@cookie": {"type": "string","index" : "not_analyzed"}
}
}
}
}
用这个替换您的 file 输入(使用正斜杠而不是反斜杠),那么它应该可以工作。
input {
file {
path => "C:/Akamai_Logs/US/*.*"
start_position => "beginning"
}
}
更新
由于您有自己的索引模板文件,因此请务必像这样修改您的 elasticsearch 输出:
output {
elasticsearch {
hosts => ["localhost:9200"]
template => "/path/to/logstash-template.json"
template_overwrite => true
}
}
如果您的 ES 中已经存在 logstash 模板,也可以确保删除该模板
curl -XDELETE localhost:9200/_template/logstash
我已经设置了一个 ELK 堆栈来索引我的 Akamai 日志。我在 Logstash 中创建了一个 conf 文件,并在加载 Logstash 时加载它。我的日志文件只是显示
Pipeline main started
但是,我无法在 Kibana 中创建索引。我看到消息
Unable to fetch mapping
我通过调试器 运行 我的 grok 语句,似乎我捕获了所有内容。这是我的配置:
input {
file {
path => "C:\Akamai_Logs\US\*"
start_position => "beginning"
}
}
filter {
grok {
match => ["message", "%{DATE:date} %{TIME:time} %{IP:client} %{WORD:method} %{URIPATH:URI} %{NUMBER:status} %{NUMBER:bytes} %{NUMBER:time_taken} %{NOTSPACE:refererr} %{QS:user_agent} %{GREEDYDATA:cookie}"]
}
}
output {
stdout {codec => rubydebug}
elasticsearch {
hosts => ["localhost:9200"]
}
}
这是来自其中一个日志的示例行
2016-06-14 14:03:42 1.1.1.1 GET /origin-uri 200 26222 0 "referrer" "user agent" "cookie string"
日志文件中的空格是否会导致索引出现任何问题?我只是错过了其他东西吗?
编辑:忘记添加我的 Logstash 模板
{
"template": "logstash-*",
"settings" : {
"number_of_shards" : 1,
"number_of_replicas" : 0,
"index" : {
"query" : { "default_field" : "@message" },
"store" : { "compress" : { "stored" : true, "tv": true } }
}
},
"mappings": {
"_default_": {
"_all": { "enabled": false },
"_source": { "compress": true },
"dynamic_templates": [
{
"string_template" : {
"match" : "*",
"mapping": { "type": "string", "index": "not_analyzed" },
"match_mapping_type" : "string"
}
}
],
"properties" : {
"@date": { "type": "date", "format": "yyyy-MM-dd" },
"@time": { "type": "time", "format": "hh:mm:ss" },
"@hostip": {"type": "string","index" : "not_analyzed"},
"@method": {"type": "string","index" : "not_analyzed"},
"@page": {"type": "string","index" : "not_analyzed"},
"@status": {"type": "integer"},
"@bytes": {"type": "integer"},
"@timetaken": {"type": "integer"},
"@referrer": {"type": "string","index" : "not_analyzed"},
"@useragent": {"type": "string","index" : "not_analyzed"},
"@cookie": {"type": "string","index" : "not_analyzed"}
}
}
}
}
用这个替换您的 file 输入(使用正斜杠而不是反斜杠),那么它应该可以工作。
input {
file {
path => "C:/Akamai_Logs/US/*.*"
start_position => "beginning"
}
}
更新
由于您有自己的索引模板文件,因此请务必像这样修改您的 elasticsearch 输出:
output {
elasticsearch {
hosts => ["localhost:9200"]
template => "/path/to/logstash-template.json"
template_overwrite => true
}
}
如果您的 ES 中已经存在 logstash 模板,也可以确保删除该模板
curl -XDELETE localhost:9200/_template/logstash