Hi, I've this simple filter to parse data, the problem is that sometimes logs are are saved in ES but are not correctly mapped.
date{
match => [ "acc-log-timestamp", "yyyy-MM-dd HH:mm:ss", "ISO8601" ]
target => "acc-log-timestamp"
}
The error I found in ES is:
[2018-03-18T02:00:04,001][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {
:status=>400,
:action=>["index", {:_id=>"300370831", :_index=>"logstash-2018.03.18", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x2f1342db>],
:response=>{"index"=>{"_index"=>"logstash-2018.03.18", "_type"=>"doc", "_id"=>"300370831", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [acc-log-timestamp] of different type, current_type[text],merged_type [date]"}}}}
I looked for that log in ES and the acc-log-timestamp value seems correct.
"acc-log-timestamp": "2018-03-17T23:20:14.000Z",
"@timestamp": "2018-03-18T23:30:16.017Z",
My template is the default one, I didn't change it.