[2024-10-17T16:43:21,934][ERROR][logstash.outputs.elasticsearch][audit][9b837e55c8099cbb5d15de6e33ff7d57678ffc02f082744561c30f21c7610c3c] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"asr-test-%{[appName]}-%{[serverName]}.log-2024.10.17", :routing=>nil}, {"@timestamp"=>2024-10-17T08:43:21.696Z, "logstash_destination"=>"10ip 打码 90:9889", "host"=>"1ip 打码 97", "logger_name"=>"cn.com.safeware.common.logback.GlobalTraceLogIdSetting", "thread_name"=>"http-nio-9040-exec-159", "type"=>"logback", "env"=>"test", "level_value"=>20000, "traceId"=>"369b8faa9ae54e9ea79c241236670b97", "level"=>"INFO", "app_name"=>"erp", "server_name"=>"api-web", "port"=>33726, "@version"=>"1", "message"=>"请求方式 : POST"}], :response=>{"index"=>{"_index"=>"asr-test-%{[appName]}-%{[serverName]}.log-2024.10.17", "_type"=>"_doc", "_id"=>nil, "status"=>400, "error"=>{"type"=>"invalid_index_name_exception", "reason"=>"Invalid index name [asr-test-%{[appName]}-%{[serverName]}.log-2024.10.17], must be lowercase", "index_uuid"=>"_na_", "index"=>"asr-test-%{[appName]}-%{[serverName]}.log-2024.10.17"}}}}
上面是报错日志,接下来看我 logstash 的配置
cat logstash-audit.conf
input {
beats {
port => 5044
}
tcp {
port => 9889
codec => json
}
}
filter {
if [stack_trace] {
mutate {
update => { "message" => "%{[message]}%{[stack_trace]}" }
}
}
}
output {
if "erp" in [tags] {
elasticsearch {
hosts => [ "17ip 打码 900" ]
index => "erp-log%{+YYYY.MM.dd}"
}
}
else if "node167" in [tags] {
elasticsearch {
hosts => [ "17ip 打码 90" ]
index => "ecow-log%{+YYYY.MM.dd}"
}
}
else if "app" in [tags] {
elasticsearch {
hosts => [ "1ip 打码 9200" ]
index => "app-log%{+YYYY.MM.dd}"
}
}
else if "app_name" == "seata-server" {
elasticsearch {
hosts => ["http://1ip 打码 9200"]
index => "pro-seata-server.log-%{+YYYY.MM.dd}"
}
}
else {
elasticsearch {
hosts => ["http://17ip 打码 9200"]
index => "asr-%{[env]}-%{[appName]}-%{[serverName]}.log-%{+YYYY.MM.dd}"
}
}
}
报错影响的应该是这行配置
else {
elasticsearch {
hosts => ["http://17ip 打码 9200"]
index => "asr-%{[env]}-%{[appName]}-%{[serverName]}.log-%{+YYYY.MM.dd}"
}
可以看到我这里使用了三个变量,这里我保证这 3 个变量拿到的值一定是全小写 请问这里是什么问题,有没有知道的,或者提供下思路