我已经使用elasticsearch 6很长一段时间了,并且成功地为我最常用的字段应用了一个Map。最近,我创建了另一个集群(v7.7),但无法应用相同的Map,因为默认的Map已被弃用。我的Map中有一些嵌套对象。当我将default替换为\u doc时,我可以应用Map,但是所有传入es的请求都将被拒绝,并将进入logstash死信队列(我正在使用logstash并将我的应用程序日志发送到elasticsearch。以下是我的Mapjson:
"index_patterns": [
"logstash-*"
],
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": "50000"
}
},
"refresh_interval": "5s"
}
},
"mappings": {
"_default_": {
"_all": {
"norms": false
},
"properties": {
"@timestamp": {
"type": "date"
},
"name": {
"ignore_above": 64,
"type": "keyword"
},
"logger": {
"ignore_above": 64,
"type": "keyword"
},
"hostname": {
"ignore_above": 256,
"type": "keyword"
},
"pid": {
"type": "integer"
},
"level": {
"type": "short"
},
"v": {
"type": "short"
},
"env": {
"ignore_above": 64,
"type": "keyword"
},
"service": {
"ignore_above": 256,
"type": "keyword"
},
"message": {
"type": "text"
},
"module": {
"type": "keyword"
},
"subModule": {
"type": "keyword"
},
"docker": {
"properties": {
"container_id": {
"ignore_above": 512,
"type": "keyword"
},
"container_name": {
"ignore_above": 512,
"type": "keyword"
},
"image_id": {
"ignore_above": 512,
"type": "keyword"
},
"image_name": {
"ignore_above": 512,
"type": "keyword"
},
"command": {
"ignore_above": 512,
"type": "keyword"
},
"tag": {
"ignore_above": 512,
"type": "keyword"
},
"created": {
"type": "date"
}
}
},
"data": {
"type": "text"
},
"context": {
"properties": {
"trade": {
"properties": {
"id": {
"ignore_above": 64,
"type": "keyword"
}
}
},
"trader": {
"properties": {
"id": {
"ignore_above": 64,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"payment": {
"properties": {
"id": {
"ignore_above": 64,
"type": "keyword"
}
}
},
"err": {
"properties": {
"message": {
"type": "text"
},
"name": {
"ignore_above": 256,
"type": "keyword"
},
"stack": {
"type": "text"
},
"code": {
"ignore_above": 256,
"type": "keyword"
},
"file": {
"ignore_above": 256,
"type": "keyword"
},
"line": {
"type": "integer"
},
"cause": {
"properties": {
"message": {
"type": "text"
},
"name": {
"ignore_above": 256,
"type": "keyword"
},
"stack": {
"type": "text"
},
"code": {
"ignore_above": 256,
"type": "keyword"
},
"file": {
"ignore_above": 256,
"type": "keyword"
},
"line": {
"type": "integer"
},
"cause": {
"properties": {
"message": {
"type": "text"
},
"name": {
"ignore_above": 256,
"type": "keyword"
},
"stack": {
"type": "text"
},
"code": {
"ignore_above": 256,
"type": "keyword"
},
"file": {
"ignore_above": 256,
"type": "keyword"
},
"line": {
"type": "integer"
}
}
}
}
}
}
},
"req": {
"properties": {
"id": {
"ignore_above": 64,
"type": "keyword"
},
"remoteAddress": {
"type": "ip"
},
"remotePort": {
"type": "integer"
},
"method": {
"ignore_above": 32,
"type": "keyword"
},
"path": {
"type": "text"
},
"body": {
"type": "text"
},
"bodyLength": {
"type": "integer"
},
"headers": {
"type": "text"
}
}
},
"res": {
"properties": {
"statusCode": {
"type": "short"
},
"body": {
"type": "text"
},
"bodyLength": {
"type": "integer"
},
"headers": {
"type": "text"
},
"latency": {
"type": "integer"
}
}
},
"event": {
"properties": {
"eventName": {
"ignore_above": 256,
"type": "keyword"
},
"context": {
"type": "text"
},
"uuid": {
"ignore_above": 64,
"type": "keyword"
},
"time": {
"type": "long"
},
"attempts": {
"type": "short"
}
}
},
"task": {
"properties": {
"taskName": {
"ignore_above": 256,
"type": "keyword"
},
"context": {
"type": "text"
},
"uuid": {
"ignore_above": 64,
"type": "keyword"
},
"time": {
"type": "long"
},
"attempts": {
"type": "short"
},
"origin": {
"ignore_above": 128,
"type": "keyword"
}
}
}
}
},
"dlq": {
"properties": {
"eventFields": {
"type": "text"
},
"reason": {
"type": "text"
}
}
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
我想知道如何将此应用于elasticsearch7?
以下是elasticsearch错误:
[o.e.a.a.i.m.p.TransportPutMappingAction] [0c85334cb2d41154383d0174502e13f2] failed to put mappings on indices [[[__PATH__]]], type [logs]
java.lang.IllegalArgumentException: Rejecting mapping update to [logstash-2020.10.02] as the final mapping would have more than 1 type: [_doc, logs]
3条答案
按热度按时间aor9mmx11#
@ylr给出的答案几乎是正确的,但是在他提供的Map中有一些解析错误。
_6.0中不推荐使用“所有”字段
_对于在6.0+中创建的索引,可能不再启用所有,请使用自定义字段和Mapcopy_to参数
请参阅此elasticsearch文档,了解更多信息。
在elasticsearch 7.0.0或更高版本中创建的索引不再接受默认Map。在6.x中创建的索引将继续像在ElasticSearch6.x中一样工作。在7.0的API中,类型已被弃用,对索引创建、put mapping、get mapping、put template、get template和get field mappings API进行了大量更改。
修改后的Map为:
0tdrvxhp2#
必须更新v7中不支持的某些字段。
此请求是一个带有“删除/更新不支持的字段”的示例:
juzqafwq3#
我找到答案了!
logstash使用类型logs将日志发送到elasticsearch。用日志替换默认值修复了问题。但是,要在版本7中应用Map,需要使用
PUT /_template/template_1?include_type_name=true