Could not index event to Elasticsearch after upgrade

[2019-09-22T09:37:34,941][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2019.09.22", :_type=>"doc", :routing=>nil}, #<LogStash::Event:0x4528d597>], :response=>{"index"=>{"_index"=>"logstash-2019.09.22", "_type"=>"doc", "_id"=>nil, "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"Failed to parse mapping [_default_]: [include_in_all] is not allowed for indices created on or after version 6.0.0 as [_all] is deprecated. As a replacement, you can use an [copy_to] on mapping fields to create your own catch all field.", "caused_by"=>{"type"=>"mapper_parsing_exception", "reason"=>"[include_in_all] is not allowed for indices created on or after version 6.0.0 as [_all] is deprecated. As a replacement, you can use an [copy_to] on mapping fields to create your own catch all field."}}}}}

I upgraded from 5.6.16 to 6.8.3 and now my Elastic won't index. I've read through several similar / identical topics, but no solution has worked. I do not have a clue about what to try to do to fix this. Please help.

Thank-you!

It seems to be a problem with an index template that have include_in_all set, which is no longer supported. You will need to update your index template to allow indexing to take place.

Thank-you for replying.

Is there an easy to understand guide for doing this?

Have a look at these:

https://www.elastic.co/guide/en/elasticsearch/reference/6.8/copy-to.html

https://www.elastic.co/guide/en/elasticsearch/reference/6.8/mapping-all-field.html

Thanks for that. I'm having trouble understanding the copy_to part. I'm afraid I need elasticsearch for dummies . I found in the Kibana 7.0 Upgrade Assistant a place to reindex, but it errors out due to not having a custom _all field.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.