ELK使用过程遇到问题

Posted on 本文总阅读量

一、节点分片分配失败,状态为黄色

1. 获取分片分配失败的索引
1
curl -XGET 10.8.12.174:9200/_cat/shards?h=index,shard,prirep,state,unassigned.reason| grep UNASSIGNED
2. 手动恢复分配失败的分片
1
2
3
4
5
6
7
8
9
10
POST _cluster/reroute?retry_failed=true
{
  "commands": [
    {"allocate_replica": {
      "index": "logstash-nginx-access-u3dgame-2017.06.30",   #索引名称
      "shard": 1,         #需恢复的分片的id
      "node": "10.8.12.174"        #恢复的目的节点
    }}
  ]
}
3. 移动分片到其它节点
1
2
3
4
5
6
7
8
9
10
11
POST _cluster/reroute?retry_failed=true
{
    "commands":[{
        "move":{
            "index": "logstash-pods-2020.04.07",  #需移动的索引名称
            "shard": 0,        #需移动的分片的id
            "from_node": "172.16.105.105",     #源节点
            "to_node": "172.16.245.122"          #目标节点
        }
    }]
}

二、开启文本字段的fielddata=true

1. 默认情况下es是关闭了文本字段排序的,当在discover上对文本字段排序时,会报出如下错误:
1
Fielddata is disabled on text fields by default. Set fielddata=true on [your_field_name] in order to load fielddata in memory by uninverting the inverted index.
2. 获取索引的当前mapping信息
1
GET platform-valgrind-neice-2017.09.05/_mapping/
3. 使用mapping API开启

fielddata.* 参数必须具有相同索引中相同名称字段的相同设置.

1
2
3
4
5
6
7
8
9
PUT my_index/_mapping/my_type
{
  "properties": {
     "my_field": { 
        "type": "text",
        "fielddata": true
     }
  }
}

例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PUT platform-valgrind-neice-*/_mapping/log
{
   "properties": {
      "PID": {
         "type": "text",
         "fielddata": true, 
         "norms": false,
         "fields": {
            "keyword": {
               "type": "keyword"
            }
         }
      }
   }
}

三、 重构索引

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@elk-test01 data]# curl -X POST -H 'Content-Type: application/json' 'http://192.168.1.122:9200/_reindex' -d '{          
"source": {
    "remote": {
        "host": "http://10.8.30.17:9200"
    },
    "index": "logstash-platform-haproxy-2018.03.01",
    "query": {
        "match_all": {}
    }
},
"dest": {
    "index": "logstash-platform-haproxy-2018.03.01"
}}'

四、重构索引并重命令字段名和某字段值

1
2
3
4
5
6
7
8
POST _reindex
{
    "source": {"index": "logstash-nginx-access-u3dgame-2018.02.26"},
    "dest": {"index": "u3dgame-new2018.02.26"},
    "script": {
        "source": "ctx._source.httpver = ctx._source.remove('httpversion'); ctx._source.username = ctx._source.httpver"
    }
}