Can't merge a non object mapping [EventId] with an object mapping [EventId]

have got a log:
{ "time": "2019-07-12T16:16:27.5682286+03:00", "level": "ERROR", "message": "{"AddedTime":"2019-07-12 16:16:23.8962","RequestedTime":"2019-07-12 16:16:23.8962","WebSso":"AQIC5wM2LY4Sfcw7nbDeQ9IKsDkdlSwuQmCeYYfiDTZi0Q0.AAJTSQACMDQAAlNLABMyMTU3OTQ5NzY5ODE3MzI1NTc3AAJTMQACMTU.","Msisdn":"777777777","RequestHeaders":,"ResponseHeaders":[{"Key":"Pragma","Value":"no-cache"},{"Key":"Request-Context","Value":"appId=cid-v1:cdb4fbe0-ed36-40c6-bd2e-d4c0f903d4e0"},{"Key":"Cache-Control","Value":"no-cache"},{"Key":"Date","Value":"Fri, 12 Jul 2019 13:16:27 GMT"}],"RequestContent":"{\"DonorMsisdn\":\"77777777777\",\"GroupService\":{\"Type\":\"None\",\"Code\":\"PE13872.1\",\"GlobalCode\":\"PE13872\"},\"ItemFrom\":1,\"ItemTo\":30,\"IncludeHistory\":false,\"IncludeRaw\":false,\"AuthMsisdn\":\"77777777777777\"}","ResponseContent":"{\"Response\":{},\"MessageId\":\"b0202e1a-8318-4802-90ec-1312b312a88d\",\"TerminationCode\":\"500\",\"TerminationMessage\":\"\u0412\",\"Msisdn\":\"777777777\"}","RequestTimeout":20.0,"ResponseDuration":3.6795620999999996,"ErrorMessage":"","InternalExceptionData":"","PartyTerminationCode":"","PartyTerminationMessage":"","RequestUrl":"http://localhost:83/sharedservices/GroupMembersByDonor","RequestMethod":"POST","ResponseStatusCode":500}", "logger": "CachedServicesInformationProvider", "exception": "System.Net.Http.HttpRequestException: Response status code does not indicate success: 500 (Internal Server Error).\r\n at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()\r\n at Rest.BaseRestProvider.d__6`1.MoveNext()", "EventId.Id": 2002, "EventId.Name": null, "EventId": "2002" }

i'm trying to parse it as JSON by config:

filter {
date {
match => [ "time", "yyyy-MM-dd HH:mm:ss.SSSS" ]
target => "@timestamp"
}

    json {
            source => "message"
    }

}

but, the error appears:

Jul 12 16:45:44 ekl01 logstash: [2019-07-12T16:45:43,198][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2019.07.12", :_type=>"doc", :_routing=>nil}, #LogStash::Event:0x1ae77086], :response=>{"index"=>{"_index"=>logstash-2019.07.12", "_type"=>"doc", "_id"=>"G2Vu5msBgHwB3FFisjQ9", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"Can't merge a non object mapping [EventId] with an object mapping [EventId]"}}}}

what i'm doing wrong? or where my config is incorrect?

In elasticsearch a field can be an object, or text (or date etc.), but it cannot be text on some documents and an object on others.

I see you also have fields called EventId.Id and EventId.Name. That should be OK, you can have dots in field names, but if you have previously parsed messages in a way that created an EventId field that contained Id and Name fields that would create exactly this issue.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.