Can't merge a non object mapping [EventId] with an object mapping [EventId]

minder · July 15, 2019, 12:27pm

have got a log:
{ "time": "2019-07-12T16:16:27.5682286+03:00", "level": "ERROR", "message": "{"AddedTime":"2019-07-12 16:16:23.8962","RequestedTime":"2019-07-12 16:16:23.8962","WebSso":"AQIC5wM2LY4Sfcw7nbDeQ9IKsDkdlSwuQmCeYYfiDTZi0Q0.AAJTSQACMDQAAlNLABMyMTU3OTQ5NzY5ODE3MzI1NTc3AAJTMQACMTU.","Msisdn":"777777777","RequestHeaders":,"ResponseHeaders":[{"Key":"Pragma","Value":"no-cache"},{"Key":"Request-Context","Value":"appId=cid-v1:cdb4fbe0-ed36-40c6-bd2e-d4c0f903d4e0"},{"Key":"Cache-Control","Value":"no-cache"},{"Key":"Date","Value":"Fri, 12 Jul 2019 13:16:27 GMT"}],"RequestContent":"{\"DonorMsisdn\":\"77777777777\",\"GroupService\":{\"Type\":\"None\",\"Code\":\"PE13872.1\",\"GlobalCode\":\"PE13872\"},\"ItemFrom\":1,\"ItemTo\":30,\"IncludeHistory\":false,\"IncludeRaw\":false,\"AuthMsisdn\":\"77777777777777\"}","ResponseContent":"{\"Response\":{},\"MessageId\":\"b0202e1a-8318-4802-90ec-1312b312a88d\",\"TerminationCode\":\"500\",\"TerminationMessage\":\"\u0412\",\"Msisdn\":\"777777777\"}","RequestTimeout":20.0,"ResponseDuration":3.6795620999999996,"ErrorMessage":"","InternalExceptionData":"","PartyTerminationCode":"","PartyTerminationMessage":"","RequestUrl":"http://localhost:83/sharedservices/GroupMembersByDonor","RequestMethod":"POST","ResponseStatusCode":500}", "logger": "CachedServicesInformationProvider", "exception": "System.Net.Http.HttpRequestException: Response status code does not indicate success: 500 (Internal Server Error).\r\n at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()\r\n at Rest.BaseRestProvider.d__6`1.MoveNext()", "EventId.Id": 2002, "EventId.Name": null, "EventId": "2002" }

i'm trying to parse it as JSON by config:

filter {
date {
match => [ "time", "yyyy-MM-dd HH:mm:ss.SSSS" ]
target => "@timestamp"
}

    json {
            source => "message"
    }

}

but, the error appears:

Jul 12 16:45:44 ekl01 logstash: [2019-07-12T16:45:43,198][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2019.07.12", :_type=>"doc", :_routing=>nil}, #LogStash::Event:0x1ae77086], :response=>{"index"=>{"_index"=>logstash-2019.07.12", "_type"=>"doc", "_id"=>"G2Vu5msBgHwB3FFisjQ9", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"Can't merge a non object mapping [EventId] with an object mapping [EventId]"}}}}

what i'm doing wrong? or where my config is incorrect?

Badger · July 15, 2019, 2:20pm

In elasticsearch a field can be an object, or text (or date etc.), but it cannot be text on some documents and an object on others.

I see you also have fields called EventId.Id and EventId.Name. That should be OK, you can have dots in field names, but if you have previously parsed messages in a way that created an EventId field that contained Id and Name fields that would create exactly this issue.

system · August 12, 2019, 2:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.