首页 注册 登录
V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
pol
V2EX  ›  日志处理

elk 这套日志 最近报错 无效索引要小写,求指导

  •   
  •   pol · 18 天前 · 217 次点击 
    [2024-10-17T16:43:21,934][ERROR][logstash.outputs.elasticsearch][audit][9b837e55c8099cbb5d15de6e33ff7d57678ffc02f082744561c30f21c7610c3c] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"asr-test-%{[appName]}-%{[serverName]}.log-2024.10.17", :routing=>nil}, {"@timestamp"=>2024-10-17T08:43:21.696Z, "logstash_destination"=>"10ip 打码 90:9889", "host"=>"1ip 打码 97", "logger_name"=>"cn.com.safeware.common.logback.GlobalTraceLogIdSetting", "thread_name"=>"http-nio-9040-exec-159", "type"=>"logback", "env"=>"test", "level_value"=>20000, "traceId"=>"369b8faa9ae54e9ea79c241236670b97", "level"=>"INFO", "app_name"=>"erp", "server_name"=>"api-web", "port"=>33726, "@version"=>"1", "message"=>"请求方式 : POST"}], :response=>{"index"=>{"_index"=>"asr-test-%{[appName]}-%{[serverName]}.log-2024.10.17", "_type"=>"_doc", "_id"=>nil, "status"=>400, "error"=>{"type"=>"invalid_index_name_exception", "reason"=>"Invalid index name [asr-test-%{[appName]}-%{[serverName]}.log-2024.10.17], must be lowercase", "index_uuid"=>"_na_", "index"=>"asr-test-%{[appName]}-%{[serverName]}.log-2024.10.17"}}}}

    上面是报错日志,接下来看我 logstash 的配置

     cat logstash-audit.conf
input {
  beats {
    port => 5044
  }

  tcp {  
    port => 9889
    codec => json
  }
}

filter {
    if [stack_trace] {
      mutate {
            update => { "message" => "%{[message]}%{[stack_trace]}" }
        }
    }
}

output {
  if "erp" in [tags] {
     elasticsearch {
        hosts => [ "17ip 打码 900" ]
        index => "erp-log%{+YYYY.MM.dd}"
     }
  }
else if "node167" in [tags] {
         elasticsearch {
                hosts => [ "17ip 打码 90" ]
                index => "ecow-log%{+YYYY.MM.dd}"
     }
  }
else if "app" in [tags] {
     elasticsearch {
                hosts => [ "1ip 打码 9200" ]
                index => "app-log%{+YYYY.MM.dd}"
     }
  }
else if "app_name" == "seata-server" {
    elasticsearch {
      hosts => ["http://1ip 打码 9200"]
      index => "pro-seata-server.log-%{+YYYY.MM.dd}"
    }
 }
else {
    elasticsearch {
      hosts => ["http://17ip 打码 9200"]
      index => "asr-%{[env]}-%{[appName]}-%{[serverName]}.log-%{+YYYY.MM.dd}" 
    }
 }
}

    报错影响的应该是这行配置

    else {
    elasticsearch {
      hosts => ["http://17ip 打码 9200"]
      index => "asr-%{[env]}-%{[appName]}-%{[serverName]}.log-%{+YYYY.MM.dd}" 
    }

    可以看到我这里使用了三个变量,这里我保证这 3 个变量拿到的值一定是全小写 请问这里是什么问题,有没有知道的,或者提供下思路

    目前尚无回复
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   971 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 22ms · UTC 22:09 · PVG 06:09 · LAX 14:09 · JFK 17:09
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.