Your mapping says that [xml_content][Request][TranslatedMessage] should be an object containing multiple fields. In elasticsearch a field can be either an object or a value, it cannot be an object in some documents and a value in others. So any events where [xml_content][Request][TranslatedMessage] is a concrete value rather than an object will get rejected. The solution is to detect that it is a value and rename it so that the value is field within it instead.