please see the follow:
why es parse log level as a int value?
if i change the log level to int value and this problem is resolved,but not my need.
json log:
{"@timestamp":"2016-03-04T16:46:45.574+08:00","@version":1,"message":"FrameworkServlet '': initialization completed in 2428 ms","logger_name":"org.springframework.test.web.servlet.TestDispatcherServlet","thread_name":"main","level":"INFO","level_value":20000,"HOSTNAME":"xxx"}
Have a look at the mappings for the index and check how the field is mapped. If you are using dynamic mappings Elasticsearch will try to determine the field type based on the first occurrence. If the first document you indexed had level set to an integer, Elasticsearch would map it as such and subsequent records with a string value for this field would then fail.
i use heka collect json log data to es directly.
and i do not specified the es dynamic mappings the up you said.
If you do not specify any mappings, dynamic mappings will be used by default. Look at some records you have managed to get indexed that have the level field and verify that these are mapped as integers. You can also get the mapping being used for the index through the get mapping API.
thanks