Elasticsearch indexing error

cybersecc · May 8, 2018, 10:36am

[2018-05-08T08:28:00,038][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>"02b93158-3f9e-4931-8e2c-1c8186aed688", :_index=>"aa-2018-05-08", :_type=>"bla", :_routing=>nil}, 2018-05-08T08:26:24.694Z machine_ip %{message}], :response=>{"index"=>{"_index"=>"aa-2018-05-08", "_type"=>"bla", "_id"=>"02b93158-3f9e-4931-8e2c-1c8186aed688", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [message] cannot be changed from type [keyword] to [text]"}}}}

Any help? all I have found is reindexing thing I can not do since I do not know how the initial template was. It will be great also, if someone could explain the root cause of this error.
Thanks

dadoonet · May 8, 2018, 11:35am

Root cause is that you can't change a mapping of an existing field.

cybersecc · May 8, 2018, 1:24pm

And what should I do, because I no longer have events in elasticsearch due to this error

dadoonet · May 8, 2018, 1:38pm

May be change the mapping or the index template?

cybersecc · May 8, 2018, 1:46pm

the index template, by doing reindex.. it means that I must first create a new index template. The problem is that I don't know the template I should use ( I'm new to elasticsearch)

dadoonet · May 8, 2018, 2:01pm

Is that an old cluster? A new one?

cybersecc · May 8, 2018, 2:02pm

3 month old. But I must preserve the data

dadoonet · May 8, 2018, 2:34pm

Daily indices I believe?

What gives

GET _templates

cybersecc · May 8, 2018, 2:38pm

{
  "error": {
    "root_cause": [
      {
        "type": "illegal_argument_exception",
        "reason": "No endpoint or operation is available at [_templates]"
      }
    ],
    "type": "illegal_argument_exception",
    "reason": "No endpoint or operation is available at [_templates]"
  },
  "status": 400
}
```.
may this is because I did some bad manipulations, but When I issue _template(without s) I got a response

dadoonet · May 8, 2018, 3:32pm

Sorry. I meant:

GET _template

cybersecc · May 8, 2018, 3:47pm

Here is a link( huge amount of characters ) : https://pastebin.com/raw/nfZXH53N

dadoonet · May 8, 2018, 6:30pm

I don't see any template which would match with aa-2018-05-08.

So I have no idea of what you are doing. May be explain a bit the context of the first error message you got?

system · June 5, 2018, 6:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Could not index event to Elasticsearch after upgrade to 7.0.1 Logstash	2	1238	July 18, 2019
Could not index event to Elasticsearch - ES 6.3.2 Failed Mapping Elasticsearch	2	633	September 11, 2018
Unable to index with below error Logstash	1	225	March 24, 2021
Logstash Could not index event to Elasticsearch The [default] mapping cannot be updated on index Logstash	6	8034	May 31, 2019
Could not index event to Elasticsearch Errror Elasticsearch	5	1087	May 25, 2020

Elasticsearch indexing error

Related topics