今天做地图定位展示,展示的是ApacheWeb服务器的访问日志文件中的来源IP。但是中间出现了报错环节,说是索引不能匹配到geo_point类型,实在是不懂这是在说什么,后来在网站找了方法就解决了。主要报错如下:
报错信息:
No Compatible Fields: The "logstash_apachelogs" index pattern does not contain any of the following field types: geo_point”
觉得很是奇怪,再来看看我的配置文件
input { redis { host => "172.16.0.54" port => 6379 db => 1 password => "123456" data_type => "list" key => "apache_filter_index" codec => json { charset => "UTF-8" } add_field => {"[@metadata][myfulltotal]" => "apacheaccess_log"} } } filter { if [@metadata][myfulltotal] == "apacheaccess_log" { mutate { gsub => ["message","\x","\x"] } if ( 'method":"HEAD' in [message] ) { drop{} } json { source => "message" add_field => {"[@metadata][direct_ip]" => "%{direct_ip}"} remove_field => "message" remove_field => "prospector" remove_field => "beat" remove_field => "host" remove_field => "input" remove_field => "source" remove_field => "offset" remove_field => "fields" remove_field => "@version" } date { match => ["timestamp","yyyy-MM-dd HH:mm:ss Z"] } mutate { split => ["client_ip",","] } mutate { replace => { "client_ip" => "%{client_ip[0]}"} } mutate { convert => ["body_bytes_sent","integer"] convert => ["total_bytes_sent","integer"] } if [client_ip] == "-" { if [@metadata][direct_ip] not in ["%{direct_ip}","-"]{ mutate { replace => { "client_ip" => "%{direct_ip}" } } } else { drop {} } } geoip { source => "client_ip" target => ["geoip"] add_field => ["[geoip][coordinates]", "%{[geoip][longitude]}"] add_field => ["[geoip][coordinates]", "%{[geoip][latitude]}"] } mutate { convert => ["[geoip][coordinates]","float"] } mutate { remove_field => ["direct_ip"] remove_field => ["timestamp"] } } } output { if [@metadata][myfulltotal] == "apacheaccess_log" { elasticsearch { hosts => ["172.16.0.51:9200"] index => "logstash_apachelogs" } } }
看上去都是没有问题的,只要是按照这个格式来写,都没有什么错误。只是在报错信息中看出geo的location类型不是geo_point类型的,那我们通过GET命令查看一下mapping
[root@ELK-chaofeng07 httpd]# curl -XGET http://172.16.0.51:9200/logstash_apachelogs/_mapping/ {"logstash-apachelogs":{"mappings":{"_default_":{"dynamic_templates":,{"string_fields":{"match":"*","m,"@version":{"type":"keyword"},"geoip":{"dynamic":"true","properties":{"ip":{"type":"ip"},"latitude":{"type":"half_float"},"location":{"type":"geo_point"},"longitude":{"type":"half_float"}}}}},"doc":{"dynamic_templates":[{"message_field":{"path_match":"message","match_mapping_type":"string","mapping":{"norms":false,"type":"text"}}},{"string_fields":{"match":"*","match_mapping_type":"string","mapping":{"fields":{"keyword":{"ignore_above":256,"type":"keyword"}},"norms":false,"type":"text"}}}],"properties":{"@timestamp":{"type":"date"},"@version":{"type":"keyword"},"body_bytes_sent":{"type":"long"},"client_ip":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword",},"continent_code":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword","ignore_above":256}}},"coordinates":{"type":"float"},"country_code2":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword","ignore_above":256}}},"country_code3":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword","ignore_above":256}}},"country_name":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword","ignore_above":256}}},"ip":{"type":"ip"},"latitude":{"type":"half_float"},"location":{"type":"float"},"longitude":{"type":"half_float"},"region_code":}}}}}}}
看的出来我们此时的location是float类型的。所以如何将它变成geo_point类型是我们的解决目标方法
我们分析一下原因:
索引格式为logstash_apachelogs日志文件由logstash输出到Elasticsearch;在 elasticsearch 中,所有的数据都有一个类型,什么样的类型,就可以在其上做一些对应类型的特殊操作。geo信息中的location字段是经纬度,我们需要使用经纬度来定位地理位置;在 elasticsearch 中,对于经纬度来说,要想使用 elasticsearch 提供的地理位置查询相关的功能,就需要构造一个结构,并且将其类型属性设置为geo_point。
解决方法:
Elasticsearch支持给索引预定义设置和mapping,其实ES中已经有一个默认预定义的模板,我们只要使用预定的模板即可。我们要想使用预定义的模板,那么索引名必须匹配 logstash-* 的索引才会应用这个模板,由于我们在logstash中使用的是logstash_*的索引方式,因此并没有匹配默认模板,所以只需要修改一下索引名即可。然后我们就可以看到map不再报这个错误了。
所以说这是个相当不起眼的错误,但是引发了这个大的问题,搞的让人很懵比,所以接下来我们得好好研究一下mapping是什么,