I am encountering lots of error messages in the elastic logs as I send messages from logstash. What do I have to do to myfield in order to make it an object?
"message" => "^%{TIMESTAMP_ISO8601:timestamp},%{NUMBER:tz} [%{LOGLEVEL:loglevel}\s*][(?<myfield>[\w\d{=,\ (\()}:-.]+)][(?[\w\d:-.]+)]%{GREEDYDATA:unstructured_data}"
Here's the log details
message:
2017-07-13T04:37:10,782 [INFO ][Client-Push:1:2][PriceRequestListener] Received PriceRequest: std_hdr { begin_string: "SX" msg_type: "PriceRequest"
I think it doesn't like the ":" in the myfield. But I need to catch everything. How can I exclude this? I think this is a logstash topic.
[2017-08-16T12:08:04,205][DEBUG][o.e.a.b.TransportShardBulkAction] [e2UIlPy] [logstash-2017.08.16-pf][1] failed to execute bulk item (index) BulkShardRequest [[logstash-2017.08.16-pf][1]] containing [26] requests
org.elasticsearch.index.mapper.MapperParsingException: Could not dynamically add mapping for field [Thread.java]. Existing mapping for [myfield] must be of type object but found [text].
at org.elasticsearch.index.mapper.DocumentParser.getDynamicParentMapper(DocumentParser.java:861) ~[elasticsearch-5.4.2.jar:5.4.2]
at org.elasticsearch.index.mapper.DocumentParser.parseValue(DocumentParser.java:581) ~[elasticsearch-5.4.2.jar:5.4.2]
at org.elasticsearch.index.mapper.DocumentParser.innerParseObject(DocumentParser.java:396) ~[elasticsearch-5.4.2.jar:5.4.2]
at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrNested(DocumentParser.java:373) ~[elasticsearch-5.4.2.jar:5.4.2]
at org.elasticsearch.index.mapper.DocumentParser.internalParseDocument(DocumentParser.java:93) ~[elasticsearch-5.4.2.jar:5.4.2]
at org.elasticsearch.index.mapper.DocumentParser.parseDocument(DocumentParser.java:66) ~[elasticsearch-5.4.2.jar:5.4.2]
at org.elasticsearch.index.mapper.DocumentMapper.parse(DocumentMapper.java:277) ~[elasticsearch-5.4.2.jar:5.4.2]
at org.elasticsearch.index.shard.IndexShard.prepareIndex(IndexShard.java:536) ~[elasticsearch-5.4.2.jar:5.4.2]
at org.elasticsearch.index.shard.IndexShard.prepareIndexOnPrimary(IndexShard.java:513) ~[elasticsearch-5.4.2.jar:5.4.2]
at org.elasticsearch.action.bulk.TransportShardBulkAction.prepareIndexOperationOnPrimary(TransportShardBulkAction.java:450) ~[elasticsearch-5.4.2.jar:5.4.2]