We are trying to use uberagent with Elasticsearch but cant seem to get communication between the two. We've set our receiver settings and uberAgent is sending data to Elasticsearch but it's queuing up.
The error message that I'm getting was pulled from the uberAgent logs:
2018-09-12 18:41:08.830 -0400,INFO ,(#########),4644,ReceiverStatistics,Elasticsearch; http://servername:9200 - Events in queue: 1, queue size: 91.9 KB, sent: 71, added to queue: 71, rejected from queue: 0
2018-09-12 18:41:08.870 -0400,ERROR,(##########),7912,SendData,One or more events could not be processed by the server http://servername:9200/uberagent/uberagent/_bulk. Error: "type":"illegal_argument_exception","reason":"Rejecting mapping update to [uberagent] as the final mapping would have more than 1 type: [uberagent, _doc]"
If I'm reading this correctly there are two mapping layers of uberagent, one in the index field and one in the type field, which is causing a conflict when data is trying to be input into the system (ie you have types). So /uberagent/uberagent is where the problem on our server lies.
This is also the first bit of the json file that were using it when we install. Should the "index_patterns" : ["uberagent*], field be changed to just * or something else?
{
"index_patterns": ["uberagent*"],
"order": 100,
"mappings":
{
"uberagent":
{
"_all": {"enabled": false},
"dynamic": "strict",
"date_detection": false,
"properties":
{
"time" : {"type" : "date"},
"Sourcetype" : {"type" : "keyword", "index": true},
"host" : {"type" : "keyword", "index": true},
"SessionGUID" : {"type" : "keyword", "index": true},