Field type changed results in a conflict - kibana reports an error

Dear All,
from a firewall I send log information to filebeat into a self written module. Within a kibana dashboard I have several lenses to get information of different events and aggregations. This is now running several days without any modification, no updates and no reboot. Today I realised that kibana doesn't show some data and brings an error. For example "Field mikrotik_remoteip is of the wrong type".
Using "Discover" I see an exclamation mark beside several fields, also for "mikrotik_remoteip". It says "This field is defined as several types ...."
When I visit "Stack Management" -> "Data Views" -> "filebeat-*" I also get the warning with details:

This field has a type conflict
The type of the mikrotik_remoteip field changes across indices and might not be available for search, visualizations, and other analysis.

Demo of EuiBasicTable
Type     Indices
ip       .ds-filebeat-8.3.2-2022.12.04-000001, .ds-filebeat-8.5.3-2022.12.11-000001
keyword  .ds-filebeat-8.5.3-2023.01.10-000002

How is it that the type currently changed from "ip" to "keyword" ?
And what should be done that it doesn't happen again ?

Any help is welcome.

// Hans

As you may know, Data streams mappings are defined by an index template that may compose (or not) a number of index template components and an Index Lifecycle Policy (ILM) as described here

Maybe there was a change in your templates or the data stream definition and when a new index was created following the ILM policy, the resulting mapping was different?

You can run queries with Dev Tools to check the templates and definitions or use the Stack Management section just right to the Data Stream tab.

Hi Jorge, many thanks for this hint and the link. Obviously I did it wrong. As I am using "filebeat" and there is already a index template I have to look how to do and to expand. // Hans

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.