Mapping to type long fails when dynamic template is used

YuWatanabe · July 5, 2016, 8:23am

Hello.

I would like to ask question about creating a index in elasticsearch.

My Question
Why is elasicsearch rejecting the indexing for field which has type : long?

What am I trying to do?
I am indexing the linux syslog into elasticsearch using grok in logstash.
Below is my grok definition.

  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }

What is happening?
Elasticsearch is rejecting the indexing as below.

[2016-07-05 17:12:03,217][DEBUG][action.admin.indices.create] [node-1] [mksyslog-2016.07.05] failed to create
MapperParsingException[Failed to parse mapping [syslog_severity_code]: Root mapping definition has unsupported parameters:  [type : long]]; nested: MapperParsingException[Root mapping definition has unsupported parameters:  [type : long]];

I use the dynamic template to auto create the index.
Below is my whole PUT query when I created the template.
syslog_severity_code is defined as type.

PUT /_template/syslog_template
{
    "template": "*syslog*",
    "settings": {
      "index": {
        "number_of_shards": "5",
        "number_of_replicas": "1"
      }
    },
    "mappings": {
      "tags": {
        "index": "not_analyzed",
        "type": "string"
      },
      "syslog_severity_code": {
        "type": "long"
      },
      "syslog_facility_code": {
        "type": "long"
      },
      "host": {
        "index": "not_analyzed",
        "type": "string"
      },
      "syslog_message": {
        "index": "not_analyzed",
        "type": "string"
      },
      "syslog_program": {
        "index": "not_analyzed",
        "type": "string"
      },
      "syslog_facility": {
        "index": "not_analyzed",
        "type": "string"
      },
      "syslog_hostname": {
        "index": "not_analyzed",
        "type": "string"
      },
      "@version": {
        "index": "not_analyzed",
        "type": "string"
      },
      "syslog_pid": {
        "index": "not_analyzed",
        "type": "string"
      },
      "message": {
        "type": "string"
      },
      "path": {
        "index": "not_analyzed",
        "type": "string"
      },
      "syslog_severity": {
        "index": "not_analyzed",
        "type": "string"
      },
      "syslog_timestamp": {
        "index": "not_analyzed",
        "type": "string"
      },
      "@timestamp": {
        "format": "strict_date_optional_time||epoch_millis",
        "type": "date"
      },
      "type": {
        "index": "not_analyzed",
        "type": "string"
      },
      "received_from": {
        "index": "not_analyzed",
        "type": "string"
      },
      "received_at": {
        "format": "strict_date_optional_time||epoch_millis",
        "type": "date"
      }
    }
  }

My platform environment is below.

OS : RHEL 7.2 64bit
Elasticsearch : 2.3.3
Logstash : 2.3.3

Any help is appreciated!

YuWatanabe · July 5, 2016, 8:51am

I have deleted the template and changed some order of the index template PUT query.
I now have different error.

[2016-07-05 17:48:28,892][DEBUG][action.admin.indices.create] [node-1] [mksyslog-2016.07.05] failed to create
MapperParsingException[Failed to parse mapping [syslog_pid]: Root mapping definition has unsupported parameters:  [index : not_analyzed] [type : string]]; nested: MapperParsingException[Root mapping definition has unsupported parameters:  [index : not_analyzed] [type : string]];
        at org.elasticsearch.cluster.metadata.MetaDataCreateIndexService$1.execute(MetaDataCreateIndexService.java:332)
        at org.elasticsearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:45)
        at org.elasticsearch.cluster.service.InternalClusterService.runTasksForExecutor(InternalClusterService.java:468)
        at org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run(InternalClusterService.java:772)
        at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:231)
        at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:194)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: MapperParsingException[Root mapping definition has unsupported parameters:  [index : not_analyzed] [type : string]]
        at org.elasticsearch.index.mapper.DocumentMapperParser.checkNoRemainingFields(DocumentMapperParser.java:171)
        at org.elasticsearch.index.mapper.DocumentMapperParser.parse(DocumentMapperParser.java:159)
        at org.elasticsearch.index.mapper.DocumentMapperParser.parse(DocumentMapperParser.java:99)
        at org.elasticsearch.index.mapper.MapperService.parse(MapperService.java:508)
        at org.elasticsearch.index.mapper.MapperService.merge(MapperService.java:288)
        at org.elasticsearch.cluster.metadata.MetaDataCreateIndexService$1.execute(MetaDataCreateIndexService.java:329)
        ... 8 more