I did an upgrade on my personal ELK stack to 6 yesterday and everything was fine until 1600PST / 0000 UTC.

[2017-11-14T16:00:05,887][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"apache-2017.11.15", :_type=>"apache", :_routing=>nil}, #LogStash::Event:0x53f53a4b], :response=>{"index"=>{"_index"=>"apache-2017.11.15", "_type"=>"apache", "_id"=>nil, "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"Failed to parse mapping [default]: No handler for type [string] declared on field [message]", "caused_by"=>{"type"=>"mapper_parsing_exception", "reason"=>"No handler for type [string] declared on field [message]"}}}}}

I am guessing that it has something to do with an incorrect index template. I tried to update the mapping template using:

filebeat setup --template

Loaded index template

But it doesn't seem to help any.

I resolved my own problem. The manual method to load the new template failed, so I added the elasticsearch output in filebeat to do the autoload, but I had a typo in the path to fields.yml.

I'm getting the same error, can you be more specific on how you fixed it?

https://www.elastic.co/guide/en/beats/filebeat/6.0/filebeat-template.html

I used the default autoload method because the manual method failed. It
required commenting out the logstash output since you can only have one
output type in the filebeat config.

I exported the template with this

sudo ./filebeat -c /etc/filebeat/filebeat.yml export template &> ~/filebeat.template.json

Then loaded it with this since the machine running filebeat does not have access to elasticsearch.

curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_template/filebeat-6.0.0 -d@filebeat.template.json

But I am still getting the same errors. I restarted filebeat on the remote machine, logstash and elasticsearch on the es machine. What can I try next?

Can you run filebeat locally on the same box as your elastic node?

Beyond that, I don't know why the manual install doesn't work as indicated
in the docs.

No I have filebeat running on my AWS VMs to send apache logs to Logstash/ES which is local. Anyone else have ideas? Thanks!

Do I need to remove my old indices?

Does anyone have more ideas that can help? I can't seem to figure this out! I have a feeling I had upgraded incorrectly from 5.6 to 6.0 and that has something to do with it.

I've tried stopping logstash, importing the template again manually from the docs, deleting all old indices and filebeat indices and still this is occurring. Please help!

Hours and hours later still can't get this to work, hoping for some help thanks.

I had a similar problem

org.elasticsearch.index.mapper.MapperParsingException: Failed to parse mapping [default]: No handler for type [string] declared on field ...

and I solved it by changing the mapping type from "string" to "text" in the template.

Since I couldn't get help I ended up deleting my whole stack and starting over. Maybe for someone else this could help, where did you change the mapping type? How did you do it? What is the command or config change to fix it? For new people to ELK the docs are sparse and hard to understand.

Here is the documentation

I made a PUT request on localhost:9200/_template/mytemplate
with body
__{template=mytemplate-*, mappings={default={properties={logLevel={type=text}, timestamp={type=date}, eventType={type=text}}}}}
and Authorization basic auth.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.