I am using filebeat 6.2.1 to pick up logs, parse as JSON and send them to elasticsearch 6.5.4 and I am getting the following error:
WARN elasticsearch/client.go:520
Cannot index event publisher.Event{Content:beat.Event{Timestamp:
[...]
"mapper_parsing_exception","reason":
"object mapping for [event] tried to parse field [event] as object, but found a concrete value
I think this is a field mapping issue and also related to nested json parsing but I am not sure how to approach solving it.
filebeat.yml:
# ======================================
# Filebeat prospectors
filebeat.prospectors:
- type: log
# Change to true to enable this prospector configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/bridge/*.json
#- c:\programdata\elasticsearch\logs\*
ignore_older: 24h
scan_frequency: ${FilebeatScanFrequency}
json:
message_key: event
keys_under_root: true
# ======================================
# Elasticsearch template setting
setup.template.settings:
index.number_of_shards: 1
Example filebeat output:
{
"_index": "filebeat-6.2.1-date",
"_type": "doc",
"_id": "nh6Z9WcBwAmR4kjdfofdk-H",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2018-12-28T16:15:48.012Z",
"event": "",
"Timestamp": "2018-12-28T21:45:42.7876369+05:30",
"Level": "Information",
"MessageTemplate": "{AuthenticationScheme} was not authenticated.
Failure message: {FailureMessage}",
"beat": {
"name": "DB-01",
"hostname": "DB-01",
"version": "6.2.1"
},
"Properties": {
"EventId": {
"Id": 7
},
"Country": "Canada",
"Format": "json",
"MachineName": "DB-01",
"ThreadId": 57,
"Source": "Example API",
"FailureMessage": "No authorization header.",
"SourceContext":
"Odachi.AspNetCore.Authentication.Basic.BasicMiddleware",
"RequestPath": "/status",
"AuthenticationScheme": "Basic",
"ProcessId": 4627,
"EnvironmentUserName": "EXAMPLEDNS\\example.api",
"RequestId": "0NKDFUJDFKDL",
"Environment": "Production"
},
"source": "D:\\Logs\\Company Example-api.json",
"offset": 9575044,
"RenderedMessage": "\"Basic\" was not authenticated. Failure message:
\"No authorization header.\"",
"prospector": {
"type": "log"
}
},
"fields": {
"@timestamp": [
"2018-12-28T16:15:48.012Z"
]
},
"sort": [
154601321324346
]
}
I am looking for a way to correctly fix the mapping error and successfully send parsed JSON logs to elasticsearch. Thanks in advance for any help or suggestions.