我不能过滤无论是我可以聚集我已经通过LogStash保存到ElasticSearch文件

我想这个问题可能与我的logstash.conf，但我不知道该怎么做。我发现优秀教程地名释义如何只使用ElasticSearch做，但在我的情况下，所有的数据将通过LogStash来自的NodeJS。

我搜索有关启用fieldData但我无法弄清楚如何做到这一点在我的logstash.conf。我应该创建一个索引模板？如果是的话怎么样？

上下文是我想记录每一个用户访问我们的应用程序的时间，然后他帐单根据每月的接入号码/她。

logstash.conf

input {
  tcp {
    port => 5000
    type => cpfTipo
  }
}

filter {
  json {
    source => "message"
  } 
}

output {
  elasticsearch { hosts => ["localhost:9200"] index => "mycostumer_indice" document_type => "cpfTipo"}
}

初步筛选：

1)

curl -XGET http://127.0.0.1:9200/mycostumer_indice/cpfTipo/_search -d '{
    "query": {
        "filtered": {
            "query": {
                "match_all": {}
            },
            "filter": 
                    {
                        "term": {
                            "username": "a"
                        }
                    }
                ]
            }
        }
    }
}'
{"error":{"root_cause":[{"type":"parsing_exception","reason":"no [query] registered for [filtered]","line":3,"col":21}],"type":"parsing_exception","reason":"no [query] registered for [filtered]","line":3,"col":21},"status":400}demetrio@nodejs ~/tool

试图汇总：

1)

curl -XGET http://127.0.0.1:9200/mycostumer_indice/cpfTipo/_search -d '{
{
    "aggs" : {
        "message" : {
            "terms" : {
                "field" : "cpfTipo",
                "size" : 5
            }
        }
    }
}'
{"error":{"root_cause":[{"type":"json_parse_exception","reason":"Unexpected character ('{' (code 123)): was expecting double-quote to start field name\n at [Source: org.elasticsearch.transportty4.ByteBufStreamInput@3ce63313; line: 2, column: 2]"}],"type":"json_parse_exception","reason":"Unexpected character ('{' (code 123)): was expecting double-quote to start field name\n at [Source: org.elasticsearch.transportty4.ByteBufStreamInput@3ce63313; line: 2, column: 2]"},"status":500}

2)

curl -XPOST 'http://127.0.0.1:9200/mycostumer_indice/_search?pretty' -d '
{
  "size": 0,
  "aggs": {
    "group_by_username": {
      "terms": {
        "field": "username"
      }
    }
  }
}'
{
  "error" : {
    "root_cause" : [
      {
        "type" : "illegal_argument_exception",
        "reason" : "Fielddata is disabled on text fields by default. Set fielddata=true on [username] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory."
      }
    ],
    "type" : "search_phase_execution_exception",
    "reason" : "all shards failed",
    "phase" : "query",
    "grouped" : true,
    "failed_shards" : [
      {
        "shard" : 0,
        "index" : "mycostumer_indice",
        "node" : "-em7X-ssT3SL2JBtfs0VTQ",
        "reason" : {
          "type" : "illegal_argument_exception",
          "reason" : "Fielddata is disabled on text fields by default. Set fielddata=true on [username] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory."
        }
      }
    ],
    "caused_by" : {
      "type" : "illegal_argument_exception",
      "reason" : "Fielddata is disabled on text fields by default. Set fielddata=true on [username] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory."
    }
  },
  "status" : 400
}

如何出现mycostumer指数：

curl http://127.0.0.1:9200/mycostumer_indice/cpfTipo/_search?pretty 
{
  "took" : 2,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "failed" : 0
  },
  "hits" : {
    "total" : 1,
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "mycostumer_indice",
        "_type" : "cpfTipo",
        "_id" : "AVrxUi5cIZDJUBCguFI8",
        "_score" : 1.0,
        "_source" : {
          "password" : "a",
          "@timestamp" : "2017-03-21T14:42:54.466Z",
          "port" : 56012,
          "@version" : "1",
          "host" : "127.0.0.1",
          "message" : "{\"username\":\"a\",\"password\":\"a\"}",
          "type" : "cpfTipo",
          "username" : "a"
        }
      }
    ]
  }
}

在的NodeJS

var express = require('express');
var bodyParser = require('body-parser');
var Client = require('node-rest-client').Client;

var expressWinston = require('express-winston');
var winston = require('winston');
require('winston-logstash');

var client = new Client();

var Logstash = require('logstash-client');

var app = express();

expressWinston.requestWhitelist.push('body');
expressWinston.responseWhitelist.push('body')

app.use(bodyParser.json());
app.use(bodyParser.urlencoded({
  extended: true
}));

var port = process.env.PORT || 3000;

var router = express.Router();

var tokenRoute = router.route('/token');

tokenRoute.post(function (req, res) {

  var user = {
    username: req.body.username,
    password: req.body.password
  };
  logstash.send(user);

你的第一个搜索查询使用过时filtered查询，只需用bool替换它，你是好：

curl -XGET http://127.0.0.1:9200/mycostumer_indice/cpfTipo/_search -d '{
    "query": {
        "bool": {
            "filter": 
                    {
                        "term": {
                            "username": "a"
                        }
                    }
                ]
            }
        }
    }
}'

你的第二个查询的开头有一个打开太多的括号，用这个来代替。

curl -XGET http://127.0.0.1:9200/mycostumer_indice/cpfTipo/_search -d '{
    "aggs" : {
        "message" : {
            "terms" : {
                "field" : "cpfTipo",
                "size" : 5
            }
        }
    }
}'

因为你试图聚集在username这是一个text场第三个查询失败。您应该改变该领域的映射使用keyword type代替。