未正确加载 kubernetes 上带有 filebeat 的 nginx 模块的模板字段映射
Template fields mappings for nginx module with filebeat on kubernetes are not correctly loaded
我正在使用来自此处的 k8s 清单在 kubernetes 中部署 filebeat:https://raw.githubusercontent.com/elastic/beats/7.5/deploy/kubernetes/filebeat-kubernetes.yaml
filebeat模板加载到elasticsearch中,但是nginx模块的映射不完整:
"nginx" : {
"properties" : {
"access" : {
"properties" : {
"geoip" : {
"type" : "object"
},
"user_agent" : {
"type" : "object"
}
}
},
"error" : {
"properties" : {
"connection_id" : {
"type" : "long"
}
}
}
}
},
fields.yaml 中定义的大多数 nginx 属性都是别名,并且 none 定义为别名的属性正在进入 filebeat 模板。
作为 filebeat 配置的一部分,我是否遗漏了什么?
我也尝试了我的自定义 fields.yaml,我用它们的具体定义替换了别名,elasticsearch 加载的映射看起来不错。
我最终将自己的 fields.yml 作为 ConfigMap 安装在 filebeat DaemonSet 上,并用它们的具体定义替换了别名字段。
正如 Elastic 的 Marcin Tojek 在 Elastic 社区帖子中指出的那样“Filebeat Filebeat versions from 7.0 - 7.8 fail to create alias field mappings for majority of modules" the Beats Platform Reference 7.8, chapter Upgrade, section Upgrade from 6.x to 7.x 声明如下:
Starting with 7.0, the fields exported by Beats conform to the Elastic Common Schema (ECS). Many of the exported fields have been renamed. See Breaking changes in 7.0 for the full list of changed names.
To help you transition to the new fields, we provide a compatibility layer in the form of ECS-compatible field aliases. To use the aliases, set the following option in the Beat’s configuration file before you upgrade the Elasticsearch index template to 7.0.
migration.6_to_7.enabled: true
The field aliases let you use 6.x dashboards and visualizations with indices created by Beats 7.0 or later. The aliases do not work with saved searches or with API calls that manipulate documents directly.
请注意,截至 2020 年 7 月 29 日,Filebeats 参考 7.8 章 Exported fields 都没有提到这一点,Filebeat 模块的部分也没有提到,这些部分仍然列出了所有不再默认创建的别名全新安装,除非明确启用“migration.6_to_7.enabled: true”。
我正在使用来自此处的 k8s 清单在 kubernetes 中部署 filebeat:https://raw.githubusercontent.com/elastic/beats/7.5/deploy/kubernetes/filebeat-kubernetes.yaml
filebeat模板加载到elasticsearch中,但是nginx模块的映射不完整:
"nginx" : {
"properties" : {
"access" : {
"properties" : {
"geoip" : {
"type" : "object"
},
"user_agent" : {
"type" : "object"
}
}
},
"error" : {
"properties" : {
"connection_id" : {
"type" : "long"
}
}
}
}
},
fields.yaml 中定义的大多数 nginx 属性都是别名,并且 none 定义为别名的属性正在进入 filebeat 模板。
作为 filebeat 配置的一部分,我是否遗漏了什么?
我也尝试了我的自定义 fields.yaml,我用它们的具体定义替换了别名,elasticsearch 加载的映射看起来不错。
我最终将自己的 fields.yml 作为 ConfigMap 安装在 filebeat DaemonSet 上,并用它们的具体定义替换了别名字段。
正如 Elastic 的 Marcin Tojek 在 Elastic 社区帖子中指出的那样“Filebeat Filebeat versions from 7.0 - 7.8 fail to create alias field mappings for majority of modules" the Beats Platform Reference 7.8, chapter Upgrade, section Upgrade from 6.x to 7.x 声明如下:
Starting with 7.0, the fields exported by Beats conform to the Elastic Common Schema (ECS). Many of the exported fields have been renamed. See Breaking changes in 7.0 for the full list of changed names.
To help you transition to the new fields, we provide a compatibility layer in the form of ECS-compatible field aliases. To use the aliases, set the following option in the Beat’s configuration file before you upgrade the Elasticsearch index template to 7.0.
migration.6_to_7.enabled: trueThe field aliases let you use 6.x dashboards and visualizations with indices created by Beats 7.0 or later. The aliases do not work with saved searches or with API calls that manipulate documents directly.
请注意,截至 2020 年 7 月 29 日,Filebeats 参考 7.8 章 Exported fields 都没有提到这一点,Filebeat 模块的部分也没有提到,这些部分仍然列出了所有不再默认创建的别名全新安装,除非明确启用“migration.6_to_7.enabled: true”。