Logstash Could not index event to Elasticsearch The [default] mapping cannot be updated on index

After an upgrade to elastic stack 7 Logstash cannot send logs to elasticsearch any more. We see the following error:

[2019-04-17T14:25:31,292][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-aws-alb-logs-2019.04.17", :_type=>"_doc", :routing=>nil}, #LogStash::Event:0x47817ce4], :response=>{"index"=>{"_index"=>"logstash-aws-alb-logs-2019.04.17", "_type"=>"_doc", "_id"=>nil, "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"The [default] mapping cannot be updated on index [logstash-aws-alb-logs-2019.04.17]: defaults mappings are not useful anymore now that indices can have at most one type."}}}}

Are you using a template for your elasticsearch output? If so, what does it look like?

No template.

Needed to delete the old logstash template in elsticsearch and restart one of the logstash pods. This recreated the template of the logstash 7.0.0 version and now it works.

Can you explain how you deleted the old logstash template in es ?
Thanks.

Forget my previous question : everything is in the documentation here:
https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html

I had to do:

curl -XDELETE http://localhost:9200/_template/logstash

And all is OK now.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.