Can't create nested type in ElasticSearch from data out of Logstash

Elastic Stack Logstash
1

Hey guys,

im suffering with this Problem:

Using jdbc connected with SQL-Database.

I want to achive this nested type in elasticsearch:

   {
      "mappings": {
        "Units": {
          "properties": {
            "System": {
              "type": "nested",
              "properties": {
                "serialNumber": {
                  "type": "integer"
                },
                "name": {
                  "type": "string"
                }
              }
            }
          }
        }
      }
    }

but if i try to do so via logstash i get this error:

[2017-06-15T17:42:33,556][WARN ][logstash.outputs.elasticsearch] Failed action.{:status=>400, :action=>["index", {:_id=>nil, :_index=>"my_index", :_type=>"logs", :_routing=>nil}, 2017-06-15T15:42:33.334Z %{host} %{message}], :response=>{"index"=>{"_index"=>"my_index", "_type"=>"logs", "_id"=>"AVysa6BNpCeJ3dzt0jMB", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"object mapping [System] can't be changed from nested to non-nested"}}}}

my configfile for Logstash is:

input
{ 
	jdbc 
	{ 
	 //working fine
	} 
	
}
	filter{
		aggregate {
    task_id => "%{iddevice}"
    code => "
		 map['System'] ||={}
		map['System']['name'] = event.get('namesystem')
		map['System']['serialNumber'] = event.get('serialnumbersystem')
		map['System']['description'] = event.get('descriptionsystem')
		map['System']['typeid'] = event.get('systemtypeid')
		map['System']['SubSystem'] ||={}
		map['System']['SubSystem']['name'] = event.get('namesubsystem')
		map['System']['SubSystem']['description'] = event.get('descriptionsubsystem')
		map['System']['SubSystem']['serialNumber'] = event.get('serialnumbersubsystem')
		map['System']['SubSystem']['typeid'] = event.get('subsystemtypeid')
		map['System']['SubSystem']['Device']||={}
		map['System']['SubSystem']['Device']['name'] = event.get('namedevice')
		map['System']['SubSystem']['Device']['nameRaw'] = event.get('namedeviceraw')
		map['System']['SubSystem']['Device']['Values'] ||= []
		map['System']['SubSystem']['Device']['Values'] << { 'typeid' => event.get('devicetypeid'),
		'date' => event.get('datedevice'),
		'operatingTime' => event.get('operatingtimedevice')}
		  
    "
	push_previous_map_as_event => true
    timeout_tags => ['aggregated']
  }
  if "aggregated" not in [tags] {
    drop {}
  }
}
output
{
	stdout {
    		codec => rubydebug{
			metadata => false}
  	}
	elasticsearch {
		hosts => ["127.0.0.1"]
			index =>"my_index"
   	} 
}

If I dont use mappings for my Index the aggregated data is cleary not advertised as type of "nested".

Thanks for help.

2

Helped myself out of this by changing "Units" to "logs" because logstash is creating an own mappingtype under the name "logs". Next question is how to find out of changing "logs" into something more meaningful. I think i can google that.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.