I have the same warning messages in my Elasticsearch deprecation log, though
i have yet to sort it out, and likely wont until early January.
Elasticsearch 5.X is still relatively new, thus omelasticsearch likely has
not caught up to some of the recent API changes. I have myself yet to submit
a request in github.
In lieu of knowledge in modifying the omelasticsearch code the following can
be done as a work around, or in general to modify the API request sent to
elasticsearch.
Using TCPDUMP you can see the whats submitted to the cluster and pick out
the API header at the start of omelasticsearch submission; looks like:
{"index":{"_index": "myindex-2016.12.21","type":"events"}}{<data>}
Because omelasticsearch allows for dynamic templates we can be sneaky and
modify the request by adding additional json to as a constant. The following
is an example of adding a pipeline using the index template
(dynSearchIndex).
template(
name="myindex"
type="list"
){
constant(value="myindex")
constant(value="-")
property(name="timegenerated" dateFormat="rfc3339"
position.from="1" position.to="4")
constant(value=".")
property(name="timegenerated" dateFormat="rfc3339"
position.from="6" position.to="7")
constant(value=".")
property(name="timegenerated" dateFormat="rfc3339"
position.from="9" position.to="10")
constant(value="\",\"pipeline\":\"mypipeline")
}
Now when we check the tcpdump output for the request we see the following:
{"index":{"_index":
"myindex-2016.12.21","pipeline":"mypipline","type":"events"}}{<data>}
This is what I currently do to provide geoip information (as i have yet to
sort out the rsyslog version) as well as re-map field names when there are
conflicts. A good example is when using the regular json output from
impstats.
The same could possible be applied to the type template (dynSearchType) to
modify the API. Though i have yet to try; Im not super optimastic that it
will. In theroy it might look something like the following (Note that this
also assumes this fixes the deprecation concerns.):
template(
name="mytype"
type="list"
){
constant(value="_mapping\":{")
constant(value="mytype")
constant(value="}")
}
Thanks
~Regards
-----
~Regards
Matthew Gaetano
--
View this message in context:
http://rsyslog-users.1305293.n2.nabble.com/omelasticsearch-index-warning-tp7591961p7591997.html
Sent from the rsyslog-users mailing list archive at Nabble.com.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
