Mapping conflict

bbreer · March 12, 2025, 4:23pm

I'm running v8.17.3 Enterprise and mapping conflicts have appeared on these four indexes.

.ds-logs-system.security-default-2025.03.05-001023
.ds-logs-system.security-default-2025.03.06-001025
.ds-logs-system.security-default-2025.03.08-001026
.ds-logs-system.security-default-2025.03.10-001029

I've included a pic of the fields and types that are the source of the mapping conflict.

I've never encountered a mapping conflict before and I don't know why this has occurred now. I'm not positive but the timing is very close to when the cluster was upgraded to 8.17.3. I am not sure what the best way to resolve this issue is so any guidance is appreciated.

leandrojmp · March 12, 2025, 5:04pm

You need to upgrade the System and Windows integration, this is a bug caused by this and reverted here.

bbreer · March 12, 2025, 5:24pm

Thank you Leandro. I had updated those integrations to the latest versions prior to posting my message. Do the updated integrations fix the problem going forward? I use the affected fields quite a bit to hunt in Kibana and I can't use them while the mapping conflict exists. Is there a way to fix my existing indices with the mapping conflict or do I need to wait until the affected indices age out and are deleted?

leandrojmp · March 12, 2025, 5:35pm

What are the current version of the integrations that you have?

The latest version are 1.67.3 for the System integration and 2.5.2 for the Windows integration, check if all your policies are using these latest versions.

I'm not sure if updateding the integration would force a rollover of the datastreams, a rollover is required to create a new backing index with the correct mapping.

If a rollover was not triggered by the upgrade, then you need to force it.

To force a rollover you can make a request in Dev Tools, something like this:

POST logs-system.security-default/_rollover

After that the correct mapping should be applied and work for new documents, the data in older indices will not be fixed, if you need to fix it you will need to reindex the data on the backing indices.

Something like this, I think:

POST _reindex
{
  "conflicts": "proceed",
  "source": {
    "index": ".ds-logs-system.security-default-2025.03.05-001023"
  },
  "dest": {
    "index": "logs-system.security-default",
    "op_type": "create"
  }
}

Or if you do not care/do need the old data, you can just remove the old backing indices.

bbreer · March 12, 2025, 7:09pm

Yes, I updated to those versions of the integrations yesterday. Thanks for your help. I've done a rollover on that index and am now in the process of reindexing the 4 indexes affected. They are all 50+GB each so that will take some time. Hopefully when they are done, the red triangle with the exclamation point will be gone for those fields in Kibana. I appreciate your guidance.

Topic		Replies	Views
Mapping conflict after upgrading from 6.4.0 to 6.5.2 Elasticsearch	1	608	January 8, 2019
Mapping conflict! Elasticsearch	7	29088	July 5, 2017
Mapping Conflicts when re-indexing using a template Elasticsearch	1	704	July 5, 2017
Type of field changes - Mapping conflict Elasticsearch	4	1879	April 20, 2017
In need of help resolving a mapping conflict Elasticsearch	1	425	December 28, 2018

Mapping conflict

Related topics