V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
pol
V2EX  ›  日志处理

elk 这套日志 最近报错 无效索引要小写,求指导

  •  
  •   pol · 69 天前 · 278 次点击
    这是一个创建于 69 天前的主题,其中的信息可能已经有所发展或是发生改变。
    [2024-10-17T16:43:21,934][ERROR][logstash.outputs.elasticsearch][audit][9b837e55c8099cbb5d15de6e33ff7d57678ffc02f082744561c30f21c7610c3c] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"asr-test-%{[appName]}-%{[serverName]}.log-2024.10.17", :routing=>nil}, {"@timestamp"=>2024-10-17T08:43:21.696Z, "logstash_destination"=>"10ip 打码 90:9889", "host"=>"1ip 打码 97", "logger_name"=>"cn.com.safeware.common.logback.GlobalTraceLogIdSetting", "thread_name"=>"http-nio-9040-exec-159", "type"=>"logback", "env"=>"test", "level_value"=>20000, "traceId"=>"369b8faa9ae54e9ea79c241236670b97", "level"=>"INFO", "app_name"=>"erp", "server_name"=>"api-web", "port"=>33726, "@version"=>"1", "message"=>"请求方式 : POST"}], :response=>{"index"=>{"_index"=>"asr-test-%{[appName]}-%{[serverName]}.log-2024.10.17", "_type"=>"_doc", "_id"=>nil, "status"=>400, "error"=>{"type"=>"invalid_index_name_exception", "reason"=>"Invalid index name [asr-test-%{[appName]}-%{[serverName]}.log-2024.10.17], must be lowercase", "index_uuid"=>"_na_", "index"=>"asr-test-%{[appName]}-%{[serverName]}.log-2024.10.17"}}}}
    
    
    

    上面是报错日志,接下来看我 logstash 的配置

     cat logstash-audit.conf
    input {
      beats {
        port => 5044
      }
    
      tcp {  
        port => 9889
        codec => json
      }
    }
    
    filter {
        if [stack_trace] {
          mutate {
                update => { "message" => "%{[message]}%{[stack_trace]}" }
            }
        }
    }
    
    output {
      if "erp" in [tags] {
         elasticsearch {
            hosts => [ "17ip 打码 900" ]
            index => "erp-log%{+YYYY.MM.dd}"
         }
      }
    else if "node167" in [tags] {
             elasticsearch {
                    hosts => [ "17ip 打码 90" ]
                    index => "ecow-log%{+YYYY.MM.dd}"
         }
      }
    else if "app" in [tags] {
         elasticsearch {
                    hosts => [ "1ip 打码 9200" ]
                    index => "app-log%{+YYYY.MM.dd}"
         }
      }
    else if "app_name" == "seata-server" {
        elasticsearch {
          hosts => ["http://1ip 打码 9200"]
          index => "pro-seata-server.log-%{+YYYY.MM.dd}"
        }
     }
    else {
        elasticsearch {
          hosts => ["http://17ip 打码 9200"]
          index => "asr-%{[env]}-%{[appName]}-%{[serverName]}.log-%{+YYYY.MM.dd}" 
        }
     }
    }
    

    报错影响的应该是这行配置

    else {
        elasticsearch {
          hosts => ["http://17ip 打码 9200"]
          index => "asr-%{[env]}-%{[appName]}-%{[serverName]}.log-%{+YYYY.MM.dd}" 
        }
    

    可以看到我这里使用了三个变量,这里我保证这 3 个变量拿到的值一定是全小写 请问这里是什么问题,有没有知道的,或者提供下思路

    目前尚无回复
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1407 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 22ms · UTC 17:26 · PVG 01:26 · LAX 09:26 · JFK 12:26
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.