Could not index event to Elasticsearch.Rejecting mapping update to [] as the final mapping would have more than 1 type: [_doc,syslog]

Hello everybody!
I get the following error when I try to send syslog data to Elasticsearch Index:

[logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"arcsight-2020.06.11", :_type=>"syslog", :_routing=>nil}, #LogStash::Event:0x262ee34b], :response=>{"index"=>{"_index"=>"arcsight-2020.06.11", "_type"=>"syslog", "_id"=>"uv2dnWEBlrOJlly6qpiU", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"Rejecting mapping update to [arcsight-2020.06.11] as the final mapping would have more than 1 type: [_doc,syslog]

I also want to mention that I get the following warning:

[WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "document_type" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. Document types are being deprecated in Elasticsearch 6.0, and removed entirely in 7.0.

I dont know if this is the cause of the first error, but I guess that these two things are related. I use ELK 7.6.2.

If somebody has any ideas, please help me to solve this problem! Thanks in advance!

Remove the document_type option from the elasticsearch output.

Hi @Badger and thank you very much for your reply!

This topic is related to my post discuss.elastic.co for which I have found the solution that implicitly solved this problem I posted here.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.