Events are not indexing after upgradtion 5.6 to 6.0

sumeshms · November 20, 2017, 8:45am

Hello

I have upgraded elastic 5.6 to 6.0 and after that events are not indexing from any sources.

The below is a strip from logstash log. I have tried with and without index mapping.
Where can I find the updated index mapping templates?

[2017-11-20T11:37:44,696][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"winlogbeat-2017.11.20", :_type=>"wineventlog", :_routing=>nil}, #LogStash::Event:0x2f9e59e5], :response=>{"index"=>{"_index"=>"winlogbeat-2017.11.20", "_type"=>"wineventlog", "_id"=>"kAiT2F8B8FIdclYYevZJ", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"Rejecting mapping update to [winlogbeat-2017.11.20] as the final mapping would have more than 1 type: [winlogbeat, wineventlog]"}}}}

Regards
Sumesh

dadoonet · November 20, 2017, 10:23am

It seems like your template created a type named winlogbeat and logstash is using wineventlog.

You need to either remove the template and replace it with what is needed or update your logstash configuration to use winlogbeat.

sumeshms · November 20, 2017, 10:29am

What I did was , followed this post Help please.. breaking changes? - #10 by Maekee
and
Changed the logstash output to this:
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"

I was not using any index templates for mapping, still I dont understand why it started working!!!

Regards

dadoonet · November 20, 2017, 10:46am

What are the existing index templates?
What is your logstash configuration?

sumeshms · November 20, 2017, 10:50am

I have only one index template that is for logstash-*

{
  "logstash": {
    "order": 0,
    "version": 60001,
    "index_patterns": [
       "logstash-*"
    ],
    "settings": {
      "index": {
        "refresh_interval": "5s"
      }

Logstash :

input {
  beats {
    port => 5044
  }
}


output {

{
 elasticsearch {
    hosts => "http://localhost:9200"
    manage_template => true
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}

dadoonet · November 20, 2017, 11:06am

Please format your code using </> icon as explained in this guide. It will make your post more readable.

Or use markdown style like:

```
CODE
```

I edited your post.

You index template is not complete I think. Could you share the full one please?

I think your logstash config is wrong. Could you share the real one please?

sumeshms · November 20, 2017, 12:22pm

Yes David am posting it here

input {
  beats {
port => 5044
  }
}

filter{} portion

if [type]=="wineventlog"
        {
        mutate { add_field => { "indexType" => "WINDOWS-LOGS" }
                                     }
                }

output{}

if [indexType]== "WINDOWS-LOGS"
{
 elasticsearch {
    hosts => "http://localhost:9200"
    manage_template => true
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"

  }
}

Thanks

dadoonet · November 20, 2017, 12:37pm

Please format your code using </> icon as explained in this guide. It will make your post more readable.

Or use markdown style like:

```
CODE
```

I’m pretty sure this logstash config does not work.
Which means you’re not copy/pasting it.

What is the mapping for your index?

sumeshms · November 20, 2017, 12:48pm

Hi David, my logstash configuration is huge that's why I have copied only the relevant portion. The remaining events processing and added to the indexes.

I have not specified any mapping as it is a new installation. So it might be taking the default mapping?

Regards
Sumesh

dadoonet · November 20, 2017, 1:22pm

Can you share the current mapping for this index?

sumeshms · November 20, 2017, 1:26pm

Sorry, how to get that?
Is it same as _/template/* ?

Regards
Sumesh

dadoonet · November 20, 2017, 2:02pm

GET winlogbeat-2017.11.20/_mapping

sumeshms · November 21, 2017, 4:49am

Hello, thanks. Here is the mapping.

https://pastebin.com/8kLy5JU3

Thanks

Sumesh

dadoonet · November 21, 2017, 6:54am

This is the mapping for 21st not 20th.

Do you still have the issue today?

sumeshms · November 21, 2017, 6:56am

Hello David

I have deleted that by mistake, anyway it is working fine today. Many thanks.

Regards
Sumesh

sumeshms · November 22, 2017, 6:58am

Hi David

If I haven't put any default index templates, how will elasticsearch map the data to an index?

Regards
Sumesh

dadoonet · November 22, 2017, 7:11am

It will guess. Which is sometime (often?) bad.
In practice, I feel better to define a mapping by my self so I have a finer control.

But if you are using Logstash or Beats, index templates are provided OOTB.

sumeshms · November 22, 2017, 7:15am

Thanks David
I understood.

I have multiple sensors such as beats, json file input, syslog, tcp, snmp etc.

Regards

system · December 20, 2017, 7:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help please.. breaking changes? Logstash	16	13697	January 5, 2018
Could not index event to Elasticsearch after upgrade Logstash	5	646	October 20, 2019
Logstash 6.0 breaks winlogbeat agent indexing Logstash	3	1294	December 25, 2017
Migrating from Filebeat 5.5.2 to 6.0.0 Beats	7	2733	December 7, 2017
Could not index event to Elasticsearch after upgrade 5.6.14 -> 6.6 Logstash	2	368	April 15, 2019

Events are not indexing after upgradtion 5.6 to 6.0

Related topics