Elasticsearch indexing error

cybersecc · May 8, 2018, 10:36am

[2018-05-08T08:28:00,038][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>"02b93158-3f9e-4931-8e2c-1c8186aed688", :_index=>"aa-2018-05-08", :_type=>"bla", :_routing=>nil}, 2018-05-08T08:26:24.694Z machine_ip %{message}], :response=>{"index"=>{"_index"=>"aa-2018-05-08", "_type"=>"bla", "_id"=>"02b93158-3f9e-4931-8e2c-1c8186aed688", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [message] cannot be changed from type [keyword] to [text]"}}}}

Any help? all I have found is reindexing thing I can not do since I do not know how the initial template was. It will be great also, if someone could explain the root cause of this error.
Thanks

dadoonet · May 8, 2018, 11:35am

Root cause is that you can't change a mapping of an existing field.

cybersecc · May 8, 2018, 1:24pm

And what should I do, because I no longer have events in elasticsearch due to this error

dadoonet · May 8, 2018, 1:38pm

May be change the mapping or the index template?

cybersecc · May 8, 2018, 1:46pm

the index template, by doing reindex.. it means that I must first create a new index template. The problem is that I don't know the template I should use ( I'm new to elasticsearch)

dadoonet · May 8, 2018, 2:01pm

Is that an old cluster? A new one?

cybersecc · May 8, 2018, 2:02pm

3 month old. But I must preserve the data

dadoonet · May 8, 2018, 2:34pm

Daily indices I believe?

What gives

GET _templates

cybersecc · May 8, 2018, 2:38pm

{
  "error": {
    "root_cause": [
      {
        "type": "illegal_argument_exception",
        "reason": "No endpoint or operation is available at [_templates]"
      }
    ],
    "type": "illegal_argument_exception",
    "reason": "No endpoint or operation is available at [_templates]"
  },
  "status": 400
}
```.
may this is because I did some bad manipulations, but When I issue _template(without s) I got a response

dadoonet · May 8, 2018, 3:32pm

Sorry. I meant:

GET _template

cybersecc · May 8, 2018, 3:47pm

Here is a link( huge amount of characters ) : https://pastebin.com/raw/nfZXH53N

dadoonet · May 8, 2018, 6:30pm

I don't see any template which would match with aa-2018-05-08.

So I have no idea of what you are doing. May be explain a bit the context of the first error message you got?

system · June 5, 2018, 6:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.