Help on mapping for "catch-all" fields

ebuildy · March 11, 2016, 4:30pm

In a medium company, with 12 developers, I setup a super logger with logstash + elasticsearch where anyone can log anything.

Log documents are like this:

{"date" : "....", "data" : {"myfield1":"hello", "myfield2": 3, "myfield3" : true ....}, "name" : "click"...}

Where data is the "catch-all" field, I mean myfield1 can be anything, posted by the developer. Problems appear if a dev A posts myfield1 as a string, and dev B posts it as a number, I got the famous:

{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [event.data.tags] tried to parse field [tags] as object, but found a concrete value"}

What could be the best way to handle a such situation with logstash and elasticsearch ? I am thinking about 3 solutions:

Force dev to respect a schema with proper naming
Force dev to use a naming convention such as "myfield1_{TYPE}" as type {TYPE}
Transform field name according type to "myfield1_{TYPE}"

Thanks,

jprante · March 11, 2016, 9:38pm

Mapping does not accept objects and primitives (string/number) at the same field.

In your example

{
  "event" : {
    "data" : {
      "tags" : "foobar"
    }
  }
}

and

{
  "event" : {
    "data" : {
      "tags" : {
          "foo" : "bar"
      }
    }
  }
}

Force your developers to send either objects or primitives to a field.

ebuildy · March 12, 2016, 7:15am

Yep i understand, thanks you.

Topic		Replies	Views
Same field name with different types? Logstash	3	1606	July 6, 2017
Super-noob needs help with a mapping error Logstash	3	519	January 19, 2019
Single field object to Elasticsearch using Logstash Logstash	8	538	March 12, 2020
Existing mapping for [myfield] must be of type object but found [text] Logstash	2	3115	September 15, 2017
JSON Index Error: same field names different datatypes Elasticsearch	5	921	June 12, 2017

Help on mapping for "catch-all" fields

Related topics