如何更改使用Elasticsearch映射API

Question

現有的索引字段類型我使用ELK並具有以下的文檔結構

{ 
    "_index": "prod1-db.log-*", 
    "_type": "db.log", 
    "_id": "AVadEaq7", 
    "_score": null, 
    "_source": { 
    "message": "2016-07-08T12:52:42.026+0000 I NETWORK [conn4928242] end connection 192.168.170.62:47530 (31 connections now open)", 
    "@version": "1", 
    "@timestamp": "2016-08-18T09:50:54.247Z", 
    "type": "log", 
    "input_type": "log", 
    "count": 1, 
    "beat": { 
     "hostname": "prod1", 
     "name": "prod1" 
    }, 
    "offset": 1421607236, 
    "source": "/var/log/db/db.log", 
    "fields": null, 
    "host": "prod1", 
    "tags": [ 
     "beats_input_codec_plain_applied" 
    ] 
    }, 
    "fields": { 
    "@timestamp": [ 
     1471513854247 
    ] 
    }, 
    "sort": [ 
    1471513854247 
    ] 
} 

我想了message字段更改爲not_analyzed。我想知道如何使用Elasticsedarch Mapping API來實現？例如，如何使用PUT Mapping API向現有索引添加新類型？

我正在使用Kibana 4.5和Elasticsearch 2.3。開始logstash當

UPDATE 試圖在logstash以下template.json，

1 { 
2 "template": "logstash-*", 
3 "mappings": { 
4  "_default_": { 
5  "properties": { 
6   "message" : { 
7   "type" : "string", 
8   "index" : "not_analyzed" 
9   } 
10  } 
11  } 
12 } 
13 } 

得到了下面的錯誤，

logstash_1  | {:timestamp=>"2016-08-24T11:00:26.097000+0000", :message=>"Invalid setting for elasticsearch output plugin:\n\n output {\n elasticsearch {\n  # This setting must be a path\n  # File does not exist or cannot be opened /home/dw/docker-elk/logstash/core_mapping_template.json\n  template => \"/home/dw/docker-elk/logstash/core_mapping_template.json\"\n  ...\n }\n }", :level=>:error} 
logstash_1  | {:timestamp=>"2016-08-24T11:00:26.153000+0000", :message=>"Pipeline aborted due to error", :exception=>#<LogStash::ConfigurationError: Something is wrong with your configuration.>, :backtrace=>["/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/config/mixin.rb:134:in `config_init'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/outputs/base.rb:63:in `initialize'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/output_delegator.rb:74:in `register'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:181:in `start_workers'", "org/jruby/RubyArray.java:1613:in `each'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:181:in `start_workers'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:136:in `run'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/agent.rb:473:in `start_pipeline'"], :level=>:error} 
logstash_1  | {:timestamp=>"2016-08-24T11:00:29.168000+0000", :message=>"stopping pipeline", :id=>"main"} 

Answer 1

當它已經存在，你不能更改索引的映射，除非您創建對象或多個字段的新字段。

如果您想使用您的要求是這樣的映射API：

PUT /prod1-db.log-*/_mapping/log 
{ 
    "properties": { 
    "message": { 
     "type": "string", 
     "index": "not_analyzed" 
    } 
    } 
} 

不過我建議你創建你的映射一個JSON文件，並將其添加到您的logstash配置。

模板文件看起來像這樣（您需要定製此）：

{ 
    "template": "logstash-*", 
    "mappings": { 
    "_default_": { 
     "properties": { 
     "action" : { 
      "type" : "string", 
      "fields" : { 
      "raw" : { 
       "index" : "not_analyzed", 
       "type" : "string" 
      } 
      } 
     }, 
     "ad_domain" : { 
      "type" : "string" 
     }, 
     "auth" : { 
      "type" : "long" 
     }, 
     "authtime" : { 
      "type" : "long" 
     }, 
     "avscantime" : { 
      "type" : "long" 
     }, 
     "cached" : { 
      "type" : "boolean" 
     } 
     } 
    } 
    } 
} 

而在你Logstash配置的elasticsearch條目是這樣的：

elasticsearch { 
    template => "/etc/logstash/template/template.json" 
    template_overwrite => true 
} 

Answer 2

如果你所有的避風港在創建索引時不會爲索引創建任何映射，首次將文檔索引到索引中時，彈性搜索會根據提供的數據自動爲每個字段選擇最佳映射。查看您在問題中提供的文檔，elasticsearch將會爲字段message分配一個分析器。分配後，您無法更改它。唯一的方法就是創建一個新的索引。