I want to use a conditional statement in my logstash config, so that syslogs are sent to "syslogindex" and other logs are sent to "testindex". I have tried multiple things, but It just does not work. This is my config:
The Logstash log then always shows something like "_index => Testindex, Reason: Could not index event to elasticsearch. Object mapping for [host] tried to parse field [host] as object, but found a concrete value". This tells me that the condition is not working and the logs are sent to the wrong index, which is not configured to take syslogs
Adding the tag makes the logs go to the correct index now, but I still receive the mapping error. I tried creating a new, simple mapping. But here I receive the error "mapper [message] cannot be changed from type [match_only_text] to [text]". This is my mapping:
You cannot change the mapping of a field when this field already exists. Normally, when using Index Lifecycle Management, you would update the mapping in the index template and then rollover the write alias. This creates a new index with the new mapping.
If you do not use Lifecycle Management, you would need to create a new index manually and point Logstash to it.
I tried changing the mapping again and just removed the fields that would result in a type change error. This way, the fields that were already working were left unchanged and the new ones were added. Thank you for your time
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
