我已经安装了 ES 集群和 Logstash。我有很多输入类型的消息。现在我对 Gelf 输入类型有疑问。我需要将 ES 中的所有字段存储为字符串,但如果我在 gelf“消息”字段中有 json - ES 会从这个 json 创建新的映射。我不想要它,我尝试了很多变体来禁用“消息”字段的动态映射。Logstash 模板配置:
{
"mappings":{
"_default_":{
"_all":{
"enabled":false
},
"_source":{
"enabled":true,
"compress":true
},
"dynamic_templates":[
{
"message_template":{
"mapping":{
"index":"not_analyzed",
"type":"string"
},
"match":"message",
"match_mapping_type":"string"
},
"string_template":{
"mapping":{
"index":"not_analyzed",
"type":"string"
},
"match":"*",
"match_mapping_type":"string"
}
}
],
"properties":{
"@version":{
"index":"not_analyzed",
"type":"long"
},
"@timestamp":{
"type":"date",
"format":"dateOptionalTime"
},
"message":{
"type":"string",
"index":"not_analyzed",
"dynamic":false
}
}
}
},
"settings":{
"index.translog.flush_threshold_ops":50000,
"index.translog.flush_threshold_size":1073741824,
"refresh_interval":30,
"number_of_replicas":0,
"number_of_shards":1
},
"template":"gelf-*"
}
和logstash输出:
output {
if [type] == "gelf" {
elasticsearch {
index => 'logstash-%{+YYYY.MM.dd}'
protocol => http
template_name => 'logstash-*'
workers => 4
template_overwrite => true
template => '/etc/logstash/index-template.json'
}
} else {
elasticsearch {
index => 'logstash-%{+YYYY.MM.dd}'
protocol => http
template_name => 'gelf-*'
workers => 4
template_overwrite => true
template => '/etc/logstash/gelf-template.json'
}
}
}
当收到“消息”字段中带有 json 的新消息时,我在 ES 上进行了映射:http: //pastebin.com/R9Ei3zEK