Filebeat setup. could not load template error

ashmistry · June 29, 2023, 12:18am

Trying to setup filebeat on my stack. It's Elasticsearch OSS 7.10.2 with opensearch 2.4.1. I am using filebeat oss 7.12.1 and got a successful test output

[root]# filebeat test output
elasticsearch: https://xyz:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: xxx.x.x.x, xxx.x.x.x
    dial up... OK
  TLS...
    security... WARN server's certificate chain verification is disabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 2.4.1

However when I ran filebeat setup -e I get this massive error complaining about not finding a template. I have just included a single line from it to save some space:

ERROR	instance/beat.go:971	Exiting: error loading template: could not load template. Elasticsearch returned: couldn't load template: 400 Bad Request:

What could be the cause of this? I found this post, however

system · June 29, 2023, 12:18am

7.10.2 is EOL and no longer supported. Please upgrade ASAP.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns )

leandrojmp · June 29, 2023, 1:08am

You need to use Filebeat 7.10.2, later versions won't work with Elasticsearch OSS or Opensearch because of the license change on version 7.11.

system · June 29, 2023, 1:08am

OpenSearch/OpenDistro are AWS run products and differ from the original Elasticsearch and Kibana products that Elastic builds and maintains. You may need to contact them directly for further assistance.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns )

ashmistry · June 29, 2023, 3:43pm

Hi I set up Filebeat 7.10.2, and still got the same error message:

2023-06-29T10:39:29.461-0500	INFO	instance/beat.go:299	Setup Beat: filebeat; Version: 7.10.2
2023-06-29T10:39:29.461-0500	INFO	[index-management]	idxmgmt/std.go:184	Set output.elasticsearch.index to 'filebeat-7.10.2' as ILM is enabled.
2023-06-29T10:39:29.461-0500	INFO	eslegclient/connection.go:99	elasticsearch url: https://node1:9200
2023-06-29T10:39:29.461-0500	INFO	[publisher]	pipeline/module.go:113	Beat name: thenameofthebeat
2023-06-29T10:39:29.462-0500	INFO	eslegclient/connection.go:99	elasticsearch url: https://node1:9200
2023-06-29T10:39:29.466-0500	INFO	[esclientleg]	eslegclient/connection.go:314	Attempting to connect to Elasticsearch version 2.4.1
Overwriting ILM policy is disabled. Set `setup.ilm.overwrite: true` for enabling.

2023-06-29T10:39:29.468-0500	INFO	template/load.go:183	Existing template will be overwritten, as overwrite is enabled.
2023-06-29T10:39:29.551-0500	INFO	template/load.go:117	Try loading template filebeat-7.10.2 to Elasticsearch
2023-06-29T10:39:29.581-0500	ERROR	instance/beat.go:956	Exiting: error loading template: could not load template. Elasticsearch returned: couldn't load template: 400 Bad Request: {"error":{"root_cause"

system · June 29, 2023, 3:43pm

Elasticsearch version 2.4.1 is EOL and no longer supported. Please upgrade ASAP.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns )

leandrojmp · June 29, 2023, 4:50pm

Please share the rest of the error.

ashmistry · June 29, 2023, 6:38pm

I didn't include all of it because it just goes on forever but if you need the full error let me know... I installed this by the way filebeat-oss-7.10.2-x86_64.rpm

2023-06-29T10:39:29.468-0500	INFO	template/load.go:183	Existing template will be overwritten, as overwrite is enabled.
2023-06-29T10:39:29.551-0500	INFO	template/load.go:117	Try loading template filebeat-7.10.2 to Elasticsearch
2023-06-29T10:39:29.581-0500	ERROR	instance/beat.go:956	Exiting: error loading template: could not load template. Elasticsearch returned: couldn't load template: 400 Bad Request: {"error":{"root_cause":[{"type":"mapper_parsing_exception","reason":"Root mapping definition has unsupported parameters:  [_default_ : {_meta={beat=filebeat, version=7.10.2}, dynamic_templates=[{labels={path_match=labels.*, mapping={type=keyword}, match_mapping_type=string}}, {container.labels={path_match=container.labels.*, mapping={type=keyword}, match_mapping_type=string}}, {fields={path_match=fields.*, mapping={type=keyword}, match_mapping_type=string}}, {docker.container.labels={path_match=docker.container.labels.*, mapping={type=keyword}, match_mapping_type=string}}, {kubernetes.labels.*={path_match=kubernetes.labels.*, mapping={type=keyword}, match_mapping_type=*}}, {kubernetes.annotations.*={path_match=kubernetes.annotations.*, mapping={type=keyword}, match_mapping_type=*}}, {docker.attrs={path_match=docker.attrs.*, mapping={type=keyword}, match_mapping_type=string}}, {kibana.log.meta={path_match=kibana.log.meta.*, mapping={type=keyword}, match_mapping_type=string}}, {strings_as_keyword={mapping={ignore_above=1024, index=not_analyzed, type=string}, match_mapping_type=string}}], date_detection=false, properties={container={properties={image={properties={name={ignore_above=1024, index=not_analyzed, type=string}, tag={ignore_above=1024, index=not_analyzed, type=string}}}, name={ignore_above=1024, index=not_analyzed, type=string}, runtime={ignore_above=1024, index=not_analyzed, type=string}, id={ignore_above=1024, index=not_analyzed, type=string}, labels={type=object}}}, kubernetes={properties={container={properties={image={ignore_above=1024, index=not_analyzed, type=string}, name={ignore_above=1024, index=not_analyzed, type=string}}}, node={properties={name={ignore_above=1024, index=not_analyzed, type=string}}}, pod={properties={uid={ignore_above=1024, index=not_analyzed, type=string}, name={ignore_above=1024, index=not_analyzed, type=string}}}, statefulset={properties={name={ignore_above=1024, index=not_analyzed, type=string}}}, namespace={ignore_above=1024, index=not_analyzed, type=string}, annotations={properties={*={type=object}}}, replicaset={properties={name={ignore_above=1024, index=not_analyzed, type=string}}}, labels={properties={*={type=object}}}, deployment={properties={name={ignore_above=1024, index=not_analyzed, type=string}}}}}, agent={properties={hostname={ignore_above=1024, index=not_analyzed, type=string}, build={properties={original={ignore_above=1024, index=not_analyzed, type=string}}}, name={ignore_above=1024, index=not_analyzed, type=string}, id={ignore_above=1024, index=not_analyzed,

system · July 27, 2023, 8:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.