Logstash和弹性升级
问题描述:
我在5.1版上有一个功能性Logstash和Elasticsearch。Logstash和弹性升级
我删除了所有索引,然后升级到6.1。
现在,当Logstash接收来自Filebeat(这剧照5.1版)的一些事件,它抛出这个错误:
[2017-12-27T17:29:16,463][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch.
{
:status => 400,
:action => ["index", {:_id=>nil, :_index=>"logstash-2017.12.27", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x34de85bd>],
:response => {
"index" => {
"_index" => "logstash-2017.12.27",
"_type" => "doc",
"_id" => nil,
"status" => 400,
"error" => {
"type" => "mapper_parsing_exception",
"reason" => "Failed to parse mapping [_default_]: [include_in_all] is not allowed for indices created on or after version 6.0.0 as [_all] is deprecated. As a replacement, you can use an [copy_to] on mapping fields to create your own catch all field.",
"caused_by" => {
"type" => "mapper_parsing_exception",
"reason" => "[include_in_all] is not allowed for indices created on or after version 6.0.0 as [_all] is deprecated. As a replacement, you can use an [copy_to] on mapping fields to create your own catch all field."
}
}
}
}
}
使用非常简单的管道我甚至试过了,你可以在这里看到:
input {
beats {
port => 5044
}
}
filter {
json {
source => "message"
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
}
但它一遍又一遍地抛出这个错误。
任何想法在这里可能是错的?
答
看看changes in mapping, introduced in elasticsearch 6.0
你需要从你的索引模板中删除include_in_all
映射参数。
你可以在这里粘贴你的模板/映射吗?
答
这个答案只是扩展@alexanderlz说的。从kibana的DevTools页我跑了这一点:
GET /_template/
,列出了所有的模板
这里我们需要删除/修改(部分)的模板:
"logstash": {
"order": 0,
"version": 60001,
"index_patterns": [
"logstash-*"
],
因此然后运行
DELETE /_template/logstash
一旦完成,重新启动logstash,它将重新安装一个新的正确的模板。
非常感谢这个洞察力,现在它工作的很好。 我通过删除这些字段或简单地删除模板并让新日志隐藏再次创建它来工作。 一般而言,它再次证明我读取主要版本的更改日志非常值得。 – Navarro
@Navarro - 你如何删除模板? – Wjdavis5