Field Type changing between indexes breaking searches

romeotheriault · March 26, 2016, 10:12am

I send windows eventlogs and linux syslog messages to logstash which then sends them into elasticsearch. Most of the time everything works great, but once in a while it seems some messages get sent in that mess up searching in elasticsearch. When this happens a search returns shard failures with this error:

Field data loading is forbidden on StartTime

I checked the "type" of StartTime on all of the indexes and most have it set (properly) to:

                "StartTime": {
                    "format": "strict_date_optional_time||epoch_millis",
                    "type": "date"

but some have the field with a type of "string". Which is what appears to be breaking the searches.

How can I fix this? How can I force StartTime to be of type date? How can I find what messages have the StartTime field with the "string"?

Thank you!

Glen_Smith · March 26, 2016, 2:23pm

Look into Index Templates - what they are in Elasticsearch and how Logstash can be configured to use them.

You quite likely have one for logstash in place on your cluster. Updating that to map StartTime as a date with the formats you expect will cause that to happen upon every index creation that matches the template name pattern.

romeotheriault · March 28, 2016, 2:14am

Thanks for the pointer Glen! I'll look into that.