There seems to be a type conflict with the way the fields get created by filebeat with auto-discovered docker logs, which is causing me to get mapper parsing exceptions from my nginx logs.
I've got a bunch of different containers being monitored by filebeat using autodiscover with hints. One of the first ones I got setup was my elasticsearch container, which has these labels set for hints in its docker-compose file:
labels:
co.elastic.logs/module: elasticsearch
co.elastic.logs/fileset: server
The default index template then created an elastic field of type keyword named "docker.container.labels.co.elastic.logs/fileset" which has a value of "server" for those documents.
As I kept working, on my nginx container I added the following labels in its compose file:
labels:
co.elastic.logs/module: nginx
co.elastic.logs/fileset.stdout: access
co.elastic.logs/fileset.stderr: error
And so it is trying to index an object into the "docker.container.labels.co.elastic.logs/fileset" field that looks more like {"stderr":"error", "stdout":"access"} and getting the parsing exception as a result.