I know this question has been asked before but I can't seem to make this work.
I updated Kibana and ElasticSearch from 5.6.16 to 6.8.7, and after the upgrade everything continued to work. However, two days later at midnight all logging stopped and the following errors started to show up in the logs:
[2020-03-09T10:35:09,326][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-prod-syslog-2020.11", :_type=>"syslog", :_routing=>nil}, LOGLINE, :response=>{"index"=>{"_index"=>"logstash-prod-syslog-2020.11", "_type"=>"syslog", "_id"=>nil, "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"Failed to parse mapping [_default_]: No handler for type [string] declared on field [@version]", "caused_by"=>{"type"=>"mapper_parsing_exception", "reason"=>"No handler for type [string] declared on field [@version]"}}}}}
From looking over previous post I would assume the error is that the @version field was previously of type sting and now needs to be of type text or keyword. However, when looking at the templates (that have been in use since 5.6.16) the field is of type keyword:
"@version": { "type": "keyword", "index": true },
In the templates I do have a few references to string such as this:
"mappings" : {
"_default_" : {
"_all" : {"enabled" : false, "norms" : false},
"dynamic_templates" : [ {
"message_field" : {
"match" : "message",
"match_mapping_type" : "string",
"mapping" : {
"type" : "text", "index" : true, "norms" : false
}
}
}, {
"string_fields" : {
"match" : "*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "text", "index" : true, "norms" : false,
"fields" : {
"raw" : {"type": "keyword", "index" : true, "ignore_above" : 256}
}
But ifI try and update these to text I get the following error:
"No field type matched on [text], possible values are [object, string, long, double, boolean, date, binary]"
I have also had a look at my index patterns (it is also worth noting that the index mention in the error message, logstash-prod-syslog-2020.11, is not present in Kibana) and I can see that @version is listed as a string:
@version string
The only other place I can see @version being listed as a sting is if I run the following GET in the elastic API:
/_template/logstash-prod
"@version": {
"index": "not_analyzed",
"type": "string"
I have tried just doing a PUT and changing the type to text and I just get the error:
"reason": "unknown key [logstash-prod] in the template ",