I am using the Fleet server with policies/integrations but I am running into some mapping conflicts that I am unsure how to resolve. For my "logs-*" index pattern I see I have a conflict of keyword,object on the "source" field.
The strange part is all of these keyword types are coming from the .ds-logs-elastic_agent.filebeat- indices. This makes me thing it is something to do with the IIS integration I have enabled because the two namespaces are one of the few that have an IIS integration.
How does someone go about correcting this mapping conflict? This is causing me to lose GEO data. I have a support ticket open but it has been going over for quite a while and I'm trying to find other sources of assistance to resolve this.
I have documents in other indexes where they have the source.ip column but no geo data. My assumption was the conflict was causing it not to look up the geo location because of this conflict.
This is also causing an issue where I cannot put in exceptions in the Alerts section for source.ip using lists. I should be able to make a list for IP Addresses and a put a rule in under alerts that states "if source.ip is in list " but the drop down does not populate my ip address list. We discovered that it doesnt populate the ip address list because source has a mapping conflict and is keyword.
Looking at some of the indices it says is in conflict they dont even have a source column in that index. So im confused as to why there is a conflict to begin with.
So I still have the issue with the mapping conflicts caused by the issue you mentioned but I managed to fix the IIS GEO issue.
It turns out the integration did not provide a pipeline so the IIS pipeline was not running on the documents being ingested. I think this may be a bug in a past version of the IIS integration because I completely removed the integration and installed it again and now the settings have a default_pipeline supplied. However, I thought Elastic did some sort of name matching to match a ingest pipeline based on the data stream name and/or index template name. That doesn't appear to be working or it isn't working because its also comparing the - which then it wouldn't of matched a pipeline.
I didn't quite get what you meant there, let me break down what I understood:
However, I thought Elastic did some sort of name matching to match a ingest pipeline based on the data stream name and/or index template name.
When adding a document to Elasticsearch, the request (single or bulk) can specify which ingest pipeline to use, that is how Filebeat uses ingest pipelines, when sending the events it tells ES which pipelines to use. This is all handled by Filebeat/Elastic-Agent, you should not need to worry about it.
Are you sending data to those indexes by means other than the Elastic-Agent/Filebeat/Beats?
That doesn't appear to be working or it isn't working because its also comparing the - which then it wouldn't of matched a pipeline.
What is being compared to what? I don't get that... What is the behaviour you are seeing and what did you expect to see?
it states " Elasticsearch matches these templates to your Fleet data streams based on the stream’s naming scheme."
So what I was saying, is the ingest pipeline should be matched to the data stream just off the naming scheme. So if I have a template named "logs-msexchange.msgtracking" which created a "logs-msexchange.msgtracking-" I figured it would of matched the pipeline named "logs-msexchange.msgtracking". I'm assuming that it isn't matching due to the namespace not being in the name of the ingest pipeline.
First things first, this documentation you linked is regarding running Fleet and Elastic-Agent. When the Elastic-Agent is running under fleet it does a lot of work under the hood to get all the indexes, pipelines, etc working.
I believe you are confusing the templates this phrase refers too. Also the whole paragraph needs to be taken into consideration:
The "templates" mentioned in the bit you quoted are the index templates and they're matched to the "fleet data streams" (the data streams set up by Fleet and Elastic-Agent), it does not affect all data streams.
However, I thought Elastic did some sort of name matching to match a ingest pipeline based on the data stream name and/or index template name.
Ingest pipelines are not "auto-magically" matched by name to indexes, this configuration is explicit. When Elastic-Agent does its configuration of ingest pipelines, index templates and data streams, the observable result is that pattern matching. However if you just create ingest pipelines and indexes manually they will not be matched by name patterns.
That' one of the many advantages of using Elastic-Agent and integrations, they take care of all this heavy lifting for you.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.