Could not index event to elasticsearch not sure why

rahulsaini · June 22, 2018, 2:39pm

[2018-06-21T10:54:08,459][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>nil}
[2018-06-21T10:54:08,507][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"default"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
[2018-06-21T10:54:08,577][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["http://localhost:9200/"]}
[2018-06-21T10:54:08,692][INFO ][logstash.inputs.http_poller] Registering http_poller Input {:type=>nil, :schedule=>{"cron"=>"*/2 * * * *"}, :timeout=>nil}
[2018-06-21T10:54:08,771][INFO ][logstash.pipeline ] Pipeline started succesfully {:pipeline_id=>"main", :thread=>"#<Thread:0x71b35d93 run>"}
[2018-06-21T10:54:08,955][INFO ][logstash.agent ] Pipelines running {:count=>1, :pipelines=>["main"]}
[2018-06-21T10:56:01,651][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"awscloudhealth", :_type=>"doc", :_routing=>nil}, #LogStash::Event:0x717005ba], :response=>{"index"=>{"_index"=>"awscloudhealth", "_type"=>"doc", "_id"=>"xODYImQBvS4rOSxdWow6", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [dimensions.time.label] of different type, current_type , merged_type [text]"}}}}

CONFIG FILE

input {
http_poller {
urls => {
ch_costapi => {
method => "GET"
url => "xxxx"
headers => {
Accept => "application/json"
}
}
}
request_timeout => 30
schedule => { cron => "*/2 * * * *"}
codec => "json"
}
}
filter {
json_encode {
source => "message"
}
}
filter
{
mutate {
remove_field => [ "[time][label]" ]
}
}
output {
elasticsearch{
hosts => [
"http://localhost:9200/"
]
index => "awscloudhealth"
cacert => "xxxx"
}
stdout {
codec => rubydebug {
}
}
}

rahulsaini · June 25, 2018, 5:16pm

anyone please help

Christian_Dahlqvist · June 25, 2018, 5:21pm

You probably have a better chance of getting help if you can show what the event looks like, e.g. by posting the output from the stdout plugin. Without that it is hard to tell.

rahulsaini · June 25, 2018, 5:57pm

I'm absolute beginner to this so I have no idea about that
but what I have figured out so far is that my date field is date datatype and i am passing the text datatype.

I tried to mutate the field like this but it doesn't work

filter {
mutate {
remove_field => [ "dimensions.time.label" ]
}
}

I think you must be referring about this

output {
elasticsearch{
hosts => [ "http://localhost:9200/"]
index => "awscloudhealth"
}
stdout {
codec => rubydebug {}
}
}

Please let me know

Thanks

system · July 23, 2018, 5:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.