We're getting errors like this:
"Could not dynamically add mapping for field [request.method]. Existing mapping for [elasticsearch.audit.request] must be of type object but found [keyword]."
It look like it's attempting to create a field elasticsearch.audit.request.method, but there is a keyword field in the filebeat-6.7.1 template for elasticsearch.audit.request as a keyword.
There is a section of code in the ingest pipeline filebeat-6.7.1-elasticsearch-audit-pipeline-json that looks like it should handle this:
{ "dot_expander" : { "field" : "request.method", "path" : "elasticsearch.audit" } }, { "rename" : { "if" : "ctx.elasticsearch.audit?.request?.method != null", "field" : "elasticsearch.audit.request.method", "target_field" : "elasticsearch.audit.request_method" } },
Any idea why the rename isn't working? Or what else could be causing the problem?
All components are 6.7.1.
Thanks