Can't merge a non object mapping ... with an object mapping ...but mapping still do not exists

Hi all,
When parsing an XML, I have an error

"Can't merge a non object mapping [poc.ports.port.script.elem] with an object mapping [poc.ports.port.script.elem]"

Searching in the forum I found that the error appears when the document does not match the mapping in ES, but in my case mapping still do not exists.

How this is possible?
Thank you!
Regards
Ana

If you have both occurrences in the same document you will get a mapping error when Elasticsearch tries to create mappings for it. What does the document look like?

Hi Christian,
My document is a (simplified version) of an NMAP xml output.
The problem is when try to parse the second script element in port 443, but I don't know how to solve it.

image

Thanks a lot!
Regards
Ana

LS Conf (Filter)

filter {

                xml { source => "message"
                        target => poc
                        xpath => ["host/address/@addr",  ip]
                        xpath => ["host/status/@state",  state]
                        xpath => ["host/status/@reason", reason]

                }

                if [message] =~ /^<host starttime/ {
                        split {
                                field => "[poc][ports][0][port]"
                        }
                }

                if [message] =~ /^<task/ {
                        drop { }
                }


}

Document

<host starttime="1551225720" endtime="1551226381"><status state="up" reason="syn-ack" reason_ttl="0"/>
<address addr="x.y95.165" addrtype="ipv4"/>
<hostnames>
<hostname name="static-x-y-95-165.domain" type="PTR"/>
</hostnames>
<ports><extraports state="filtered" count="65528">
<extrareasons reason="no-responses" count="65528"/>
</extraports>
<port protocol="tcp" portid="25"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="smtp" product="Postfix smtpd" hostname=" FW_ENTERPRISE" method="probed" conf="10"><cpe>cpe:/a:postfix:postfix</cpe></service><script id="smtp-commands" output="FW_ENTERPRISE, SIZE, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, "/></port>
<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="http" product="Check Point NGX Firewall-1" method="probed" conf="10"><cpe>cpe:/a:checkpoint:firewall-1</cpe></service></port>
<port protocol="tcp" portid="264"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="fw1-topology" product="Check Point FireWall-1 Topology" devicetype="firewall" method="probed" conf="10"><cpe>cpe:/a:checkpoint:firewall-1</cpe></service></port>
<port protocol="tcp" portid="443"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="http" product="Connectra Check Point Web Security httpd" devicetype="security-misc" tunnel="ssl" method="probed" conf="10"><cpe>cpe:/a:checkpoint:connectra</cpe></service>
<script id="http-methods" output="&#xa;  Supported Methods: GET HEAD POST OPTIONS">
<table key="Supported Methods">
<elem>GET</elem>
<elem>HEAD</elem>
<elem>POST</elem>
<elem>OPTIONS</elem>
</table>
</script>
<script id="ssl-date" output="2019-02-27T00:12:30+00:00; -1s from scanner time.">
<elem key="date">2019-02-27T00:12:30+00:00</elem>
<elem key="delta">-1.0</elem>
</script>
</port>
<port protocol="tcp" portid="500"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="isakmp" method="table" conf="3"/></port>
<port protocol="tcp" portid="15001"><state state="closed" reason="conn-refused" reason_ttl="0"/><service name="unknown" method="table" conf="3"/></port>
</ports>
</host>

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.