logstash數據無法寫入到es

現象：偶發性某天應用服務日誌數據丟失，查看es無數據

架構：filebeat--->logstash--->es

logstash 上報錯現象：

2023-10-13T13:05:14,161][WARN ][logstash.outputs.elasticsearch][main] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"srgp-2023.10.13", :_type=>"_doc", :routing=>nil}, #<LogStash::Event:0x3b1e2406>], :response=>{"index"=>{"_index"=>"srgp-2023.10.13", "_type"=>"_doc", "_id"=>"X41sJ4sBPtPNo0ugp5is", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [logdate] of type [date] in document with id 'X41sJ4sBPtPNo0ugp5is'. Preview of field's value: '2023-10-13 13:05:13,009'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"failed to parse date field [2023-10-13 13:05:13,009] with format [strict_date_optional_time||epoch_millis]", "caused_by"=>{"type"=>"date_time_parse_exception", "reason"=>"date_time_parse_exception: Failed to parse with all enclosed parsers"}}}}}}
[2023-10-13T13:05:14,161][WARN ][logstash.outputs.elasticsearch][main] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"srgp-2023.10.13", :_type=>"_doc", :routing=>nil}, #<LogStash::Event:0x529a2802>], :response=>{"index"=>{"_index"=>"srgp-2023.10.13", "_type"=>"_doc", "_id"=>"9MlsJ4sBGw4njSrKpxWs", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [logdate] of type [date] in document with id '9MlsJ4sBGw4njSrKpxWs'. Preview of field's value: '2023-10-13 13:05:13,007'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"failed to parse date field [2023-10-13 13:05:13,007] with format [strict_date_optional_time||epoch_millis]", "caused_by"=>{"type"=>"date_time_parse_exception", "reason"=>"Failed to parse with all enclosed parsers"}}}}}}

 

應用日誌：
2023-10-13 09:51:14,710 INFO [AYQqkUTKRJufCZpBDujhww] [00534e185d57476498936]xxxxxxxxx
2023-10-13 09:51:14,750 INFO [AYQqkUTKRJufCZpBDujhww] xxxxxx

諮詢ChatGpt：

GPT的解決方法也不行，其實上面的配置我的logstash也有，還是報這個錯。

出處： ## https://www.cnblogs.com/liucx/

解決方法：
經過排查，logstash獲取日誌時，會以日誌的第一條記錄作爲es自動創建的映射字段，logdate的類型變爲時間類型了，導致無法寫入到es，後修改這個索引的模板解決，強制mapping中的logdate設置爲text類型

 解決啦