Field Type changing between indexes breaking searches

romeotheriault · March 26, 2016, 10:12am

I send windows eventlogs and linux syslog messages to logstash which then sends them into elasticsearch. Most of the time everything works great, but once in a while it seems some messages get sent in that mess up searching in elasticsearch. When this happens a search returns shard failures with this error:

Field data loading is forbidden on StartTime

I checked the "type" of StartTime on all of the indexes and most have it set (properly) to:

                "StartTime": {
                    "format": "strict_date_optional_time||epoch_millis",
                    "type": "date"

but some have the field with a type of "string". Which is what appears to be breaking the searches.

How can I fix this? How can I force StartTime to be of type date? How can I find what messages have the StartTime field with the "string"?

Thank you!

Glen_Smith · March 26, 2016, 2:23pm

Look into Index Templates - what they are in Elasticsearch and how Logstash can be configured to use them.

You quite likely have one for logstash in place on your cluster. Updating that to map StartTime as a date with the formats you expect will cause that to happen upon every index creation that matches the template name pattern.

romeotheriault · March 28, 2016, 2:14am

Thanks for the pointer Glen! I'll look into that.

Topic		Replies	Views
ES 7.4 Field [start_time] of type [keyword] does not support custom formats Elasticsearch	6	8809	August 14, 2020
Problem setting "data" type Logstash	5	294	June 28, 2018
Logstash trying to parse date to the wrong field Logstash	4	1097	August 9, 2017
How to prevent autmatically type conversion in elasticsearch Elasticsearch	3	475	February 11, 2021
Logstash couldn't index date field for few log lines Logstash	4	489	July 12, 2019

Field Type changing between indexes breaking searches

Related topics