当前位置：首页 > news >正文

elasticsearch mapping和template解析(自动分词)！

news 2025/8/15 8:20:51

一. 引文：

部署了ELK 用来分析nginx的log，新增需求：统计相关url(字段名url_path)访问次数最高的五个，通过Visualize创建走势图，发现自动对其进行了分词输出(如：/photo/pv/addPv被拆分成了photo,pv,addPV)。通过查询相关资料，明白了在创建索引，插入数据时，有一个template和mappings机制。

二. 概念：

template: 索引可使用预定义的模板进行创建,这个模板称作Index templates(索引模板)。模板设置包括settings和mappings，通过模式匹配的方式使得多个索引重用一个模板(如xxx* ,即:对xxx开头的index都匹配)。

mappings: 类似于静态语言中的数据类型：声明一个变量为int类型的变量，以后这个变量都只能存储int类型的数据。同样的，一个number类型的mapping字段只能存储number类型的数据。同语言的数据类型相比，mapping还有一些其他的含义，mapping不仅告诉ES一个field中是什么类型的值，它还告诉ES如何索引数据以及数据是否能被搜索到。一个mapping由一个或多个analyzer组成，一个analyzer又由一个或多个filter组成的。当ES索引文档的时候，它把字段中的内容传递给相应的analyzer，analyzer再传递给各自的filters。一个filter就是一个转换数据的方法，输入一个字符串，这个方法返回另一个字符串（如一个将字符串转为小写的方法）。一个analyzer由一组顺序排列的filter组成，执行分析的过程就是按顺序一个filter一个filter依次调用， ES存储和索引最后得到的结果。总结来说， mapping的作用就是执行一系列的指令将输入的数据转成可搜索的索引项。

三. 核心：

elasticsearch默认是字符串的类型的字段都会分词(也会带来性能及空间占用问题)的(也就是引文中url_path问题所在)。故，这种情况下，解决办法就是修改mapping的string类型改为不分词("index": "not_analyzed")

需要注意的一个问题就是如果index中已经有大量数据的情况下，修改了analyzer,还需要清理已存在的数据，重新灌/cha入才能生效(因为就算put了新的mapping,以前的数据也更正不过来，后进去的数据会跟随旧数据的存储类型) 。。。

四. 基础操作：

可通过以下请求查看template及mapping：

# curl -XGET "http://10.4.30.41:9200/_template/?pretty"  #结果太长，略

也可查看某一个template的：

#curl -XGET “http://10.4.30.41:9200/_template/logstash?pretty”{"logstash" : {"order" : 0,"template" : "logstash-*","settings" : {"index" : {"refresh_interval" : "5s"}},"mappings" : {"_default_" : {"dynamic_templates" : [ {"message_field" : {"mapping" : {"fielddata" : {"format" : "disabled"},"index" : "analyzed","omit_norms" : true,"type" : "string"},"match_mapping_type" : "string","match" : "message"}}, {"string_fields" : {"mapping" : {"fielddata" : {"format" : "disabled"},"index" : "analyzed","omit_norms" : true,"type" : "string","fields" : {"raw" : {"ignore_above" : 256,"index" : "not_analyzed","type" : "string"}}},"match_mapping_type" : "string","match" : "*"}} ],"_all" : {"omit_norms" : true,"enabled" : true},"properties" : {"@timestamp" : {"type" : "date"},"geoip" : {"dynamic" : true,"properties" : {"ip" : {"type" : "ip"},"latitude" : {"type" : "float"},"location" : {"type" : "geo_point"},"longitude" : {"type" : "float"}}},"@version" : {"index" : "not_analyzed","type" : "string"}}}},"aliases" : { }}
}

可查看一个index的mapping:

#curl -XGET "http://10.4.30.41:9200/photo-xxx/_mapping/?pretty"{"photo-xxx" : {"mappings" : {"photo-xxx" : {"properties" : {"@timestamp" : {"type" : "date","format" : "strict_date_optional_time||epoch_millis"},"@version" : {"type" : "string"},"body_bytes_sent" : {"type" : "string"},"bytes_sent" : {"type" : "string"},"host" : {"type" : "string"},"http_x_forwarded_for" : {"type" : "string"},"message" : {"type" : "string"},"method" : {"type" : "string"},"path" : {"type" : "string"},"remote_addr" : {"type" : "string"},"request" : {"type" : "string"},"request_time" : {"type" : "string"},"servers" : {"type" : "string"},"status" : {"type" : "string"},"tags" : {"type" : "string"},"time_local" : {"type" : "string"},"type" : {"type" : "string"},"upstream_addr" : {"type" : "string"},"upstream_response_time" : {"type" : "string"},"upstream_status" : {"type" : "string"},"uri" : {"type" : "string"},"url_args" : {"type" : "string"},"url_path" : {"type" : "string"},"verb" : {"type" : "string"}}}}}
}

解决分词问题：

新建一个template，如匹配“*xxx_*”的string都不分词，操作如下：

# curl -XPUT 'http://10.4.30.41:9200/_template/xxx?pretty' -d '{"template":"*xxx_*","mappings":{"_default_":{"dynamic_templates":[{"template_1":{"mapping":{"index": "not_analyzed","type": "string"},"match_mapping_type": "string","match": "*"}}],_all:{"enabled": false}}}}'
{"acknowledged" : true
}#注：其中match是匹配((unmatch非匹配))项(如本例中nginx的message，uri等)

至于数据这块，并未正式上线，故可直接删除数据，生成新的即可(有空调研下相关导数据方法)。

再次查看mapping：

#curl -XGET "http://10.4.30.41:9200/photo-xxx/_mapping/?pretty"{"photo-xxx" : {"mappings" : {"_default_" : {"_all" : {"enabled" : false},"dynamic_templates" : [ {"template_1" : {"mapping" : {"index" : "not_analyzed","type" : "string"},"match" : "*","match_mapping_type" : "string"}} ]},"photo-xxx" : {"_all" : {"enabled" : false},"dynamic_templates" : [ {"template_1" : {"mapping" : {"index" : "not_analyzed","type" : "string"},"match" : "*","match_mapping_type" : "string"}} ],"properties" : {"@timestamp" : {"type" : "date","format" : "strict_date_optional_time||epoch_millis"},"@version" : {"type" : "string","index" : "not_analyzed"},"body_bytes_sent" : {"type" : "string","index" : "not_analyzed"},"bytes_sent" : {"type" : "string","index" : "not_analyzed"},"host" : {"type" : "string","index" : "not_analyzed"},"http_x_forwarded_for" : {"type" : "string","index" : "not_analyzed"},"message" : {"type" : "string","index" : "not_analyzed"},"method" : {"type" : "string","index" : "not_analyzed"},"path" : {"type" : "string","index" : "not_analyzed"},"remote_addr" : {"type" : "string","index" : "not_analyzed"},"request" : {"type" : "string","index" : "not_analyzed"},"request_time" : {"type" : "string","index" : "not_analyzed"},"servers" : {"type" : "string","index" : "not_analyzed"},"status" : {"type" : "string","index" : "not_analyzed"},"tags" : {"type" : "string","index" : "not_analyzed"},"time_local" : {"type" : "string","index" : "not_analyzed"},"type" : {"type" : "string","index" : "not_analyzed"},"upstream_addr" : {"type" : "string","index" : "not_analyzed"},"upstream_response_time" : {"type" : "string","index" : "not_analyzed"},"upstream_status" : {"type" : "string","index" : "not_analyzed"},"uri" : {"type" : "string","index" : "not_analyzed"},"url_args" : {"type" : "string","index" : "not_analyzed"},"url_path" : {"type" : "string","index" : "not_analyzed"},"verb" : {"type" : "string","index" : "not_analyzed"}}}}}
}

入新数据后，问题解决。。

如需要针对某些字段进行聚合统计/计算，就需要设置字段类型为整数(integer)或浮点数(float)等。如在已创建kibana index的基础上修改字段类型，需要删除kibana index,然后重新创建，否则在kibana中不会生效(报错:No Compatible Fields: The "logstash-*" index pattern does not contain any of the following field types: number)。

查看全文

http://www.lryc.cn/news/619485.html