Logstash Could not index event to Elasticsearch The [default] mapping cannot be updated on index

Moshe_Nadler · April 17, 2019, 2:29pm

After an upgrade to elastic stack 7 Logstash cannot send logs to elasticsearch any more. We see the following error:

[2019-04-17T14:25:31,292][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-aws-alb-logs-2019.04.17", :_type=>"_doc", :routing=>nil}, #LogStash::Event:0x47817ce4], :response=>{"index"=>{"_index"=>"logstash-aws-alb-logs-2019.04.17", "_type"=>"_doc", "_id"=>nil, "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"The [default] mapping cannot be updated on index [logstash-aws-alb-logs-2019.04.17]: defaults mappings are not useful anymore now that indices can have at most one type."}}}}

Badger · April 17, 2019, 3:03pm

Are you using a template for your elasticsearch output? If so, what does it look like?

Moshe_Nadler · April 17, 2019, 3:04pm

No template.

Moshe_Nadler · April 17, 2019, 3:37pm

Needed to delete the old logstash template in elsticsearch and restart one of the logstash pods. This recreated the template of the logstash 7.0.0 version and now it works.

erb · May 3, 2019, 9:50am

Can you explain how you deleted the old logstash template in es ?
Thanks.

erb · May 3, 2019, 10:53am

Forget my previous question : everything is in the documentation here:
https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html

I had to do:

curl -XDELETE http://localhost:9200/_template/logstash

And all is OK now.

system · May 31, 2019, 10:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.