Can't create nested type in ElasticSearch from data out of Logstash

Sesam · June 15, 2017, 3:46pm

Hey guys,

im suffering with this Problem:

Using jdbc connected with SQL-Database.

I want to achive this nested type in elasticsearch:

   {
      "mappings": {
        "Units": {
          "properties": {
            "System": {
              "type": "nested",
              "properties": {
                "serialNumber": {
                  "type": "integer"
                },
                "name": {
                  "type": "string"
                }
              }
            }
          }
        }
      }
    }

but if i try to do so via logstash i get this error:

[2017-06-15T17:42:33,556][WARN ][logstash.outputs.elasticsearch] Failed action.{:status=>400, :action=>["index", {:_id=>nil, :_index=>"my_index", :_type=>"logs", :_routing=>nil}, 2017-06-15T15:42:33.334Z %{host} %{message}], :response=>{"index"=>{"_index"=>"my_index", "_type"=>"logs", "_id"=>"AVysa6BNpCeJ3dzt0jMB", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"object mapping [System] can't be changed from nested to non-nested"}}}}

my configfile for Logstash is:

input
{ 
	jdbc 
	{ 
	 //working fine
	} 
	
}
	filter{
		aggregate {
    task_id => "%{iddevice}"
    code => "
		 map['System'] ||={}
		map['System']['name'] = event.get('namesystem')
		map['System']['serialNumber'] = event.get('serialnumbersystem')
		map['System']['description'] = event.get('descriptionsystem')
		map['System']['typeid'] = event.get('systemtypeid')
		map['System']['SubSystem'] ||={}
		map['System']['SubSystem']['name'] = event.get('namesubsystem')
		map['System']['SubSystem']['description'] = event.get('descriptionsubsystem')
		map['System']['SubSystem']['serialNumber'] = event.get('serialnumbersubsystem')
		map['System']['SubSystem']['typeid'] = event.get('subsystemtypeid')
		map['System']['SubSystem']['Device']||={}
		map['System']['SubSystem']['Device']['name'] = event.get('namedevice')
		map['System']['SubSystem']['Device']['nameRaw'] = event.get('namedeviceraw')
		map['System']['SubSystem']['Device']['Values'] ||= []
		map['System']['SubSystem']['Device']['Values'] << { 'typeid' => event.get('devicetypeid'),
		'date' => event.get('datedevice'),
		'operatingTime' => event.get('operatingtimedevice')}
		  
    "
	push_previous_map_as_event => true
    timeout_tags => ['aggregated']
  }
  if "aggregated" not in [tags] {
    drop {}
  }
}
output
{
	stdout {
    		codec => rubydebug{
			metadata => false}
  	}
	elasticsearch {
		hosts => ["127.0.0.1"]
			index =>"my_index"
   	} 
}

If I dont use mappings for my Index the aggregated data is cleary not advertised as type of "nested".

Thanks for help.

Sesam · June 15, 2017, 4:46pm

Helped myself out of this by changing "Units" to "logs" because logstash is creating an own mappingtype under the name "logs". Next question is how to find out of changing "logs" into something more meaningful. I think i can google that.

system · July 13, 2017, 4:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.