1.報錯信息如下:
[2018-07-16T00:10:17,743][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"filebeat-api-2018.07.15", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x38a5460c>], :response=>{"index"=>{"_index"=>"filebeat-api-2018.07.15", "_type"=>"doc", "_id"=>"erO0nmQB3VHsYd1y-IbI", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [params.end_day]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"\""}}}}}
日期格式不對報錯,解決辦法如下,建立一個map,關掉日期格式檢測,對需要日期格式的字段加上date類型字段。這里也實現了field限制,將默認的1000加到了3000.
報錯:
"reason"=>"object mapping for [params.commoditys] tried to parse field [commoditys] as object, but found a concrete value"}}}}
這個ignore_malformed設置為true解決
curl -XPUT "10.66.178.20:9200/_template/template_api" -H 'Content-Type: application/json' -d'{
"index_patterns":["filebeat-api-*"],
"order":0,
"settings":{
"number_of_replicas":0,
"index":{
"mapping":{
"ignore_malformed": true,
"total_fields": {
"limit": "3000"
}
}
}
},
"mappings": {
"doc": {
"date_detection": false,
"properties": {
"@timestamp": {
"type": "date"
}
}
}
}
}'