Hi Alex, I am using logstash to index my data to elasticsearch. When I do not use this template I am able to push data. Here is the few lines from the log file that I have: 2014-05-05 14:51:20,248 (main) a_class INFO: message1 2014-05-05 14:51:20,249 (main) a_class INFO: message2 2014-05-05 14:51:20,510 (main) b_class INFO: message3 2014-05-05 14:51:20,597 (main) x_class INFO: message4 2014-05-05 14:51:20,701 (main) d_class INFO: message5
My grok parser is
SERVERLOG %{TIMESTAMP_ISO8601} \(%{NOTSPACE:thread}\) %{WORD:class}
%{LOGLEVEL:severity}: %{GREEDYDATA:message}
Attached my template.json.. Thanks a lot for your help.
I am processing these in logstash
On Monday, May 5, 2014 3:37:52 AM UTC-7, Alexander Reelsen wrote:
>
> Hey,
>
> can you include a full example including data you have been indexing? Or
> include error messages, as you wrote you cannot index any data anymore?
>
> Also, your JSON is not valid as the mapping for the class field contains a
> comma too much.
>
>
> --Alex
>
>
> On Thu, May 1, 2014 at 1:53 AM, Deepak Jha <[email protected]<javascript:>
> > wrote:
>
>> Hi,
>> I have setup ELK stack and I am going by default index name, which is
>> logstash-YYYY.MM.DD . Since this is the only index format I have, I decided
>> to create a template file, so that whenever new index gets created i can
>> set up the mapping property. I am not able to push the data to
>> elasticsearch if my index mapping gets created from template. May I know
>> where am I wrong ?
>>
>> Here is my mapping file content:
>> {
>> "X_Server" : {
>> "properties" : {
>> "@timestamp" : {
>> "type" : "date",
>> "format" : "dateOptionalTime"
>> },
>> "@version" : { "type" : "string" },
>> "class" : { "type" : "string" },
>> "file" : { "type" : "string"},
>> "message": {"type": "string"},
>> "host" : { "type" : "string", "index": "not_analyzed" }
>> }}}
>>
>>
>> My template file content is
>>
>> {
>> "template": "logstash-*",
>> "settings" : {
>> "index.number_of_shards" : 3,
>> "index.number_of_replicas" : 1,
>> "index.query.default_field" : "@message",
>> "index.routing.allocation.total_shards_per_node" : 2,
>> "index.auto_expand_replicas": false
>> },
>> "mappings": {
>> "X_Server": {
>> "_all": { "enabled": false },
>> "_source": { "compress": false },
>> "properties" : {
>> "class" : { "type" : "string", },
>> "host" : { "type" : "string", "index" : "not_analyzed" },
>> "file" : { "type" : "string" },
>> "message" : { "type": "string"}
>> }
>> }}}
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "elasticsearch" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/elasticsearch/b1d382b5-0fa7-4a2c-96f0-150d856482cc%40googlegroups.com<https://groups.google.com/d/msgid/elasticsearch/b1d382b5-0fa7-4a2c-96f0-150d856482cc%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/2b5c8869-743e-4401-829e-6cac4ccbab75%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
template.json
Description: Binary data
