elasticsearch filebeat mapper\u解析\u使用decode\u json\u字段时出现异常

kse8i1jr  于 2021-06-14  发布在  ElasticSearch
关注(0)|答案(1)|浏览(356)

我有eck设置,我用filebeat把日志从kubernetes发送到elasticsearch。
我最近补充道 decode_json_fields 处理器到我的配置,以便我能够解码通常在 message 现场。

- decode_json_fields:
          fields: ["message"]
          process_array: false
          max_depth: 10
          target: "log"
          overwrite_keys: true
          add_error_key: true

但是,添加后日志已停止显示。
日志示例:

{
  "_index": "filebeat-7.9.1-2020.10.01-000001",
  "_type": "_doc",
  "_id": "wF9hB3UBtUOF3QRTBcts",
  "_score": 1,
  "_source": {
    "@timestamp": "2020-10-08T08:43:18.672Z",
    "kubernetes": {
      "labels": {
        "controller-uid": "9f3f9d08-cfd8-454d-954d-24464172fa37",
        "job-name": "stream-hatchet-cron-manual-rvd"
      },
      "container": {
        "name": "stream-hatchet-cron",
        "image": "<redacted>.dkr.ecr.us-east-2.amazonaws.com/stream-hatchet:v0.1.4"
      },
      "node": {
        "name": "ip-172-20-32-60.us-east-2.compute.internal"
      },
      "pod": {
        "uid": "041cb6d5-5da1-4efa-b8e9-d4120409af4b",
        "name": "stream-hatchet-cron-manual-rvd-bh96h"
      },
      "namespace": "default"
    },
    "ecs": {
      "version": "1.5.0"
    },
    "host": {
      "mac": [],
      "hostname": "ip-172-20-32-60",
      "architecture": "x86_64",
      "name": "ip-172-20-32-60",
      "os": {
        "codename": "Core",
        "platform": "centos",
        "version": "7 (Core)",
        "family": "redhat",
        "name": "CentOS Linux",
        "kernel": "4.9.0-11-amd64"
      },
      "containerized": false,
      "ip": []
    },
    "cloud": {
      "instance": {
        "id": "i-06c9d23210956ca5c"
      },
      "machine": {
        "type": "m5.large"
      },
      "region": "us-east-2",
      "availability_zone": "us-east-2a",
      "account": {
        "id": "<redacted>"
      },
      "image": {
        "id": "ami-09d3627b4a09f6c4c"
      },
      "provider": "aws"
    },
    "stream": "stdout",
    "message": "{\"message\":{\"log_type\":\"cron\",\"status\":\"start\"},\"level\":\"info\",\"timestamp\":\"2020-10-08T08:43:18.670Z\"}",
    "input": {
      "type": "container"
    },
    "log": {
      "offset": 348,
      "file": {
        "path": "/var/log/containers/stream-hatchet-cron-manual-rvd-bh96h_default_stream-hatchet-cron-73069980b418e2aa5e5dcfaf1a29839a6d57e697c5072fea4d6e279da0c4e6ba.log"
      }
    },
    "agent": {
      "type": "filebeat",
      "version": "7.9.1",
      "hostname": "ip-172-20-32-60",
      "ephemeral_id": "6b3ba0bd-af7f-4946-b9c5-74f0f3e526b1",
      "id": "0f7fff14-6b51-45fc-8f41-34bd04dc0bce",
      "name": "ip-172-20-32-60"
    }
  },
  "fields": {
    "@timestamp": [
      "2020-10-08T08:43:18.672Z"
    ],
    "suricata.eve.timestamp": [
      "2020-10-08T08:43:18.672Z"
    ]
  }
}

在filebeat日志中,我可以看到以下错误:
2020-10-08t09:25:43.562z警告[elasticsearch]elasticsearch/client.go:407无法索引event publisher.event{content:beat.event{timestamp:time.time{wall:0x36b243a0, ext:63737745936,loc:(*时间位置)(nil)},meta:null,字段:{“agent”:{“ephemeral_id”:“5f8afdba-39c3-4fb7-9502-be7ef8f2d982”,“hostname”:“ip-172-20-32-60”,“id”:“0f7fff14-6b51-45fc-8f41-34bd04dc0bce”,“name”:“ip-172-20-32-60”,“type”:“filebeat”,“version”:“7.9.1”},“cloud”:{“account”:{“id”:“700849607999”},“availability\u zone”:“us-east-2a”,“image”:{“id”:“ami 09d3627b4a09f6c4c”},“instance”:{“id”:“i-06c9d23210956ca5c”},“machine”:“type”:“m5.large”},“provider”:“aws”,“region”:“us-east-2”},“ecs”:{“version”:“1.5.0”},“host”:{“architecture”:“x86\u 64”,“containerized”:false,“hostname”:“ip-172-20-32-60”,“ip”:[“172.20.32.60”,“fe80::af:9”fff:febe:dc4”,“172.17.0.1”,“100.96.1.1”,“fe80::6010:94ff:fe17:fbae”,“fe80::d869:14ff:feb0:81b3”,“fe80::e4f3:b9ff:fed8:e266”,“fe80::1c19:bcff:feb3:ce95“,”fe80::fc68:21ff:fe08:7f24“,”fe80::1cc2:daff:fe84:2a5a“,“fe80::3426:78ff:fe22:269a”,“fe80::b871:52ff:fe15:10ab”,“fe80::54ff:cbff:fec0:f0f“,”fe80::cca6:42ff:fe82:53fd“,”fe80::bc85:e2ff:fe5f:a60d“,”fe80::e05e:b2ff:fe4d:a9a0“,”fe80::43a:dcff:fe6a:2307“,”fe80::581b:20ff:fe5f:b060“,”fe80::4056:29ff:fe07:edf5“,”fe80::c8a0:5aff:febd:a1a3“,”fe80::74e3:feff:fe45:d9d4“,”fe80::9c91:5cff:fee2:c0b9“],“mac”:“mac”::“02:02:af:9f:f:9f:be:0d:c4”,“02:42:42:1b:56:ee:d3:d3”,“62:10:94:17:17:fb:ae;da:69:14:b0:14:b0:9f:9f:9f:9f:9f:9f:9f:9f:9b:56:ee:d3:d3;62:10:94:17:17:fb:fb:ae”、“da:69:14:14:14:b0:81:b3:81:b3”、“e6:b3:3:b3:b3:9:b9:8:d8:8:d8:8:d8:8:d8:8:d8:8:8:d8:8:8:8:8:8:66”、“1e:19:19:19:bc:be:be:be:b第5节:a9:a0,“06:3a:dc:6a:23:07”,“5a:1b:20:5f:b0:60”,“42:56:29:07:ed:f5”,“ca:a0:5a:bd:a1:a3”,“76:e3:fe:45:d9:d4”,“9e:91:5c:e2:c0:b9”],“name”:“ip-172-20-32-60”,“os”:{“codename”:“core”,“family”:“redhat”,“kernel”:“4.9.0-11-amd64”,“name”:“centos linux”,“platform”:“centos”,“version”:“7(core)”},“input”:{“type”:“container”},“kubernetes”:{“container”:{“image”:“700849607999.dkr.ecr.us-east-2.amazonaws.com/stream-hatchet:v0.1.4“,”name“:”stream-hatchet-cron“}”,labels“:{”controller uid“:”a79daeac-b159-4ba7-8cb0-48afbfc0711a,“job name“:”stream-hatchet-cron-manual-c5r“}”,namespace“:”default“,”node“:{”name“:”ip-172-20-32-60.us-east-2.compute.internal“},“pod”:{“name”:“stream-hatchet-cron-manual-c5r-7cx5d”,“uid”:“3251cc33-48a9-42b1-9359-9f6e345f75b6”},“log”:{“level”:“info”,“message”:{“log类型”:“cron”,“status”:“start”},“timestamp”:“2020-10-08t09:25:36.916z”},“message”:{“message”:{“log类型”:“cron”,“status”:“start”},“level”:“info”,“timestamp”:“2020-10-08t09:25:36.916z”},“stream”:“stdout”}, private:file.state{id:“本机::30998361-66306”,previd:“”,finished:false,fileinfo:(*os.filestat)(0xc001c14dd0),源:“/var/log/containers/stream-hatchet-cron-manual-c5r-7cx5d\u default\u stream-hatchet-cron-4278d956fff8641048efeaec23b383b41f2662773602c3a7daffe7c30f62fe5a.log”,offset:539, timestamp:time.time{wall:0xbfd7d4a1e556bd72, ext:916563812286,loc:(*time.location)(0x607c540)},ttl:-1,类型:“容器”,meta:map[string]字符串(nil),filestateos:file.stateos{inode:0x1d8ff59, device:0x10302},identifiername:“本机”},timeseries:false}, flags:0x1, cache:publisher.eventcache{m:common.mapstr(nil)}(status=400):{“type”:“mapper\u parsing\u exception”,“reason”:“无法分析id为‘56ahb3ublgyb8gz801di’的文档中类型为[keyword]的字段[log.message]。字段值的预览:“{log\u type=cron,status=start}”,由“{”type“:”非法的“state\u exception”,“reason”:“无法在1:113获取start\u对象上的文本”}
它抛出一个错误,因为log.message的类型显然是“keyword”,但是索引Map中不存在这种类型。
我想这可能是因为 "target": "log" 所以我试着把它改成一些任意的东西,比如“myu parsed\u message”或者“m\u log”或者“mlog”,我得到了相同的错误。
{“type”:“mapper\u parsing\u exception”,“reason”:“未能分析id为'j5kldhub\u yo5bfxcn2le'的文档中类型为[keyword]的字段[mlog.message]。字段值的预览:“{log\u type=cron,status=end}”,由“{”type“:”非法的\u状态\u异常“,”原因“:”无法在1:217获取开始\u对象上的文本“}”
弹性版本:7.9.2

elasticsearchfilebeat

1条答案

按热度按时间
vnjpjtjt

vnjpjtjt1#

问题是一些json消息包含 message 字段,有时是一个简单的字符串,有时是一个嵌套的json对象(比如在问题中显示的情况)。
创建此索引后,解析的第一条消息可能是一个字符串,因此已修改Map以添加以下字段(第10553行):

"mlog": {
   "properties": {
       ...
       "message": {
          "type": "keyword",
          "ignore_above": 1024
       },
   }
}

你会发现同样的模式 my_parsed_message (第10902行), my_parsed_logs (第10742行)等。。。
因此,下一个信息随之而来 message 作为一个json对象,比如

{"message":{"log_type":"cron","status":"start"}, ...

不会工作,因为它是一个对象,不是一个字符串。。。
查看自定义json的字段,您似乎无法真正控制它们的分类法(即命名)或它们包含的内容。。。
如果您真的想在这些自定义字段中进行搜索(我认为您是这样做的,因为您正在解析字段,否则您只需要存储字符串化的json),那么我只能建议您开始找出一个合适的分类法,以确保它们都得到一个标准类型。
如果您只关心记录数据,那么我建议您只需禁用该消息字段的索引。另一个解决办法是 dynamic: false 在Map中忽略这些字段,即不修改Map。

赞(0)分享  回复(0)举报  2021-06-15
我来回答

相关问题

    查看更多
    微信公众号

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com