I am using heartbeat 6.2.2, logstash 6.2.3, elasticsearch 6.2.3
When sending heartbeat tcp monitor data to logstash, i get the following error message:
[2018-06-28T00:57:22,253][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"heartbeat-2018.06.28", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x25ec0801>], :response=>{"index"=>{"_index"=>"heartbeat-2018.06.28", "_type"=>"doc", "_id"=>"SRrARGQBYXi60TGvyC0m", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [monitor] tried to parse field [monitor] as object, but found a concrete value"}}}}
I checked my templates, deleted the target index so it re-recreated, but i am not sure what I am missing.
input {
beats {
port => 5044
ssl_certificate_authorities => ["/etc/cert.crt"]
ssl_certificate => "/etc/key.crt"
ssl_key => "/etc/key.key"
}
}
} else if [beat][name] == "elk-heartbeat" or [fields][beat][class] == "elk-heartbeat" {
elasticsearch {
hosts => ["http://ip-here:9200"]
... * removing ssl and user/pass info *
index => "heartbeat-%{+YYYY.MM.dd}"
}
and then its a simple elasticsearch output. es is not using any pipelines. but as a result the "monitor" field in kibana shows up as one string which is the properly formatted json object, instead of monitor.up, monitor.ip, and the like.
i am using the index template that came with the 6.2.2 heartbeats. (i did update the template to apply to heartbeat-* indices, not just heartbeat-version-* )
any thoughts?
edit:
kibana field looks like this: https://i.imgur.com/B3rCoeM.png
