filebeat更改mapping 字段类型

 采集nginx日志的时候发现从filebeat采集的json日志到elasticsearch里面都是keyword类型,导致我模糊查询部分字段的时候无法模糊匹配,所以需要将某些字段改成text类型。

filebeat.inputs:
- type: log
  enabled: true
  json.keys_under_root: true
  json.overwrite_keys: true
  paths:
    - "/x/*.log"
  tags: ["php-nginx-access"]

output.elasticsearch:
  hosts: ["10.8.44.5:9200"]
  username: "xxx"
  password: "xxx"
  indices:
    - index: "php-nginx-access-%{[agent.version]}-%{+yyyy.MM}"
      when.contains:
        tags: "php-nginx-access"
setup.template.name: "php-nginx-access"
setup.template.pattern: "php-nginx-access-*"
setup.template.fields: "myfields.yml"
setup.template.overwrite: true
setup.template.enabled: true
setup.ilm.enabled: false

 

关键的地方就是修改了fields.yml。

- key: php-nginx-access
  title: php
  description: >
    php access log
  fields:
  - name: request
    type: text
    ignore_above: 1024
  - name: '@timestamp'
    level: core
    required: true
    type: date
    description: 'Date/time when the event originated.

      This is the date/time extracted from the event, typically representing when
      the event was generated by the source.

      If the event source has no original timestamp, this value is typically populated
      by the first time the event was received by the pipeline.

      Required field for all events.'
    example: '2016-05-23T08:05:34.853Z'

 

posted @ 2021-03-28 18:38  JvvYou  阅读(1075)  评论(0编辑  收藏  举报