es创建索引和mapping
索引和type分开创建
1、创建index
http://127.0.0.1:9200/ negative/ put { "settings": { "index": { "search": { "slowlog": { "threshold": { "fetch": { "debug": "5s" }, "query": { "warn": "20s" } } } }, "indexing": { "slowlog": { "threshold": { "index": { "info": "20s" } } } }, "number_of_shards": "1", "number_of_replicas": "0" } } }
2、创建mapping
http://127.0.0.1:9200/ negative/negative/_mapping post {"properties":{ "id": { "type": "long" }, "yjlb": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "ejlb": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "sjlb": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "detail": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "ssyj": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } } }}
索引和type一次创建
(注意:mapping下面一层的key值 是type名称)
http://192.168.0.213:9200/ announcement/ put { "settings": { "index": { "search": { "slowlog": { "threshold": { "fetch": { "debug": "5s" }, "query": { "warn": "20s" } } } }, "indexing": { "slowlog": { "threshold": { "index": { "info": "20s" } } } }, "number_of_shards": "1", "number_of_replicas": "0" } }, "mappings": { "announcement": { "properties": { "id": { "type": "keyword" }, "createtime": { "type": "date", "format": "yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis" }, "creatby": { "type": "keyword" }, "updatetime": { "type": "date", "format": "yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis" }, "type": { "type": "keyword" }, "status": { "type": "keyword" }, "title": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "cont": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "files": { "type": "nested", "properties": { "id": { "type": "keyword" }, "filename": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } } } } } } } }
更改elasticsearch中索引的mapping
昨天研发说在kibana中统计userid字段不出图,后来查到该字段显示冲突了,然后再查看了GET test/_mapping下该索引的mapping,发现userid是long类型的,而userid.keyword是string类型的,出现这种情况的根本原因是日志中这个字段存的是数值类型的值,改成字符串类型即可,由于急着用,我司上线一般是下午6点30上线,所以临时修改了下该字段的类型,步骤如下:
查看旧索引的mapping
GET test
/_mapping
找到userid这个字段,修改类型为keyword,如下:
{ "mappings": { "doc": { "properties": { "@timestamp": { "type": "date" }, "@version": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "beat": { "properties": { "hostname": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "name": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "version": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } } } }, "code": { "type": "long" }, "dip": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "fields": { "properties": { "log_topic": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } } } }, "host": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "message": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "method": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "name": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "offset": { "type": "long" }, "referer": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "sip": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "source": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "tags": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "time": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "url": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "userid": { "type": "keyword" #修改此处 } } } } }
创建一个自定义mapping的新索引
PUT test-new { "mappings": { "doc": { "properties": { "@timestamp": { "type": "date" }, "@version": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "beat": { "properties": { "hostname": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "name": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "version": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } } } }, "code": { "type": "long" }, "dip": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "fields": { "properties": { "log_topic": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } } } }, "host": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "message": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "method": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "name": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "offset": { "type": "long" }, "referer": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "sip": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "source": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "tags": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "time": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "url": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "userid": { "type": "keyword" } } } } }
把旧索引的数据reindex到新索引上
注意,旧索引先停止新数据的写入
POST _reindex { "source": { "index": "test" }, "dest": { "index": "test-new" } }
删除旧索引
DELETE test
按照步骤2创建test索引
PUT test { "mappings": { "doc": { "properties": { "@timestamp": { "type": "date" }, "@version": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "beat": { "properties": { "hostname": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "name": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "version": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } } } }, "code": { "type": "long" }, "dip": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "fields": { "properties": { "log_topic": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } } } }, "host": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "message": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "method": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "name": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "offset": { "type": "long" }, "referer": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "sip": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "source": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "tags": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "time": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "url": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "userid": { "type": "keyword" } } } } }
把test-new索引的数据reindex到test索引上
POST _reindex { "source": { "index": "test-new" }, "dest": { "index": "test" } }
查看test索引的mapping
GET test/_mapping,执行命令后,可以看到userid的字段类型为keyword类型了
然后再打开该索引接收新数据的开关
总结
以上为个人经验,希望能给大家一个参考,也希望大家多多支持脚本之家。