Errors ingesting elasticsearch audit due to mapping of request.method

We're getting errors like this:

"Could not dynamically add mapping for field [request.method]. Existing mapping for [elasticsearch.audit.request] must be of type object but found [keyword]."

It look like it's attempting to create a field elasticsearch.audit.request.method, but there is a keyword field in the filebeat-6.7.1 template for elasticsearch.audit.request as a keyword.

There is a section of code in the ingest pipeline filebeat-6.7.1-elasticsearch-audit-pipeline-json that looks like it should handle this:

    "dot_expander" : {
      "field" : "request.method",
      "path" : "elasticsearch.audit"
    "rename" : {
      "if" : "ctx.elasticsearch.audit?.request?.method != null",
      "field" : "elasticsearch.audit.request.method",
      "target_field" : "elasticsearch.audit.request_method"

Any idea why the rename isn't working? Or what else could be causing the problem?

All components are 6.7.1.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.