Mapper error even though no mapping is present

braem · December 9, 2019, 11:18pm

Logstash trying to insert a document into the index of elastic search will result in the following error:
"error"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [msg.Fwd Header Length] of different type, current_type [long], merged_type [ObjectMapper]"}
that even though the index is empty and there is no mapping predefined and retrieving the mapping of the index returns:
{ "mapping": {} }
I'm running logstash and elasticsearch 7.5 but the same problem was already present before upgrading (both on version 7.4.2)
I'm really not sure where the problem lies. And any help is appreciated

Badger · December 10, 2019, 12:21am

If there is no mapping template that matches the index name then the field type is set by the first document that contains the field. Are you saying that you are getting a mapping exception on the first document that is indexed?

By the way, you might get a better response in the elasticsearch forum: this error is actually occuring in elasticsearch and just being reported by logstash.

braem · December 10, 2019, 12:38am

Yes strangely enough thats what happens, as after leaving logstash parsing the whole log I still have an empty index...

Yes makes sense. Is there some way to move this topic to the elasticsearch forum?

Badger · December 10, 2019, 12:55am

I believe that the author can move a post from one forum to another. Not sure how.

What does the event look like in?...

output { stdout { codec => rubydebug} }

Is there a [msg.Fwd Header Length] field whose name contains a period, or is it a [msg] object that contains a [Fwd Header Length] field? Or both

braem · December 17, 2019, 10:18pm

Looking through the event, I found that there is an error in the script writing the logs, as it duplicated the [Fwd Header Length] field and adding it once as [Fwd Header Length] to the [msg] object and once as [Fwd Header Length.1]. Removing that duplication solved the problem and I could feed the logs into Elasticsearch.

So my guess is, that even though the event correctly had [Fwd Header Length.1] as name for the corresponding field and not as an object containing a field [1], Elasticsearch seemed to have read it as an object, that contains a field with the name [1]

system · January 14, 2020, 10:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.