Logstash和弹性升级
我在5.1版上有一个功能性Logstash和Elasticsearch。Logstash和弹性升级
我删除了所有索引,然后升级到6.1。
现在,当Logstash接收来自Filebeat(这剧照5.1版)的一些事件,它抛出这个错误:
[2017-12-27T17:29:16,463][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {
:status => 400,
:action => ["index", {:_id=>nil, :_index=>"logstash-2017.12.27", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x34de85bd>],
:response => {
"index" => {
"_index" => "logstash-2017.12.27",
"_type" => "doc",
"_id" => nil,
"status" => 400,
"error" => {
"type" => "mapper_parsing_exception",
"reason" => "Failed to parse mapping [_default_]: [include_in_all] is not allowed for indices created on or after version 6.0.0 as [_all] is deprecated. As a replacement, you can use an [copy_to] on mapping fields to create your own catch all field.",
"caused_by" => {
"type" => "mapper_parsing_exception",
"reason" => "[include_in_all] is not allowed for indices created on or after version 6.0.0 as [_all] is deprecated. As a replacement, you can use an [copy_to] on mapping fields to create your own catch all field."
}
}
}
}
}
使用非常简单的管道我甚至试过了,你可以在这里看到:
input { beats {
port => 5044
}
}
filter {
json {
source => "message"
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
}
但它一遍又一遍地抛出这个错误。
任何想法在这里可能是错的?
回答:
看看changes in mapping, introduced in elasticsearch 6.0
你需要从你的索引模板中删除include_in_all映射参数。
你可以在这里粘贴你的模板/映射吗?
回答:
这个答案只是扩展@alexanderlz说的。从kibana的DevTools页我跑了这一点:
GET /_template/ ,列出了所有的模板
这里我们需要删除/修改(部分)的模板:
"logstash": { "order": 0,
"version": 60001,
"index_patterns": [
"logstash-*"
],
因此然后运行
DELETE /_template/logstash 一旦完成,重新启动logstash,它将重新安装一个新的正确的模板。
以上是 Logstash和弹性升级 的全部内容, 来源链接: utcz.com/qa/266365.html
