ELK VERSION: 6.4.2
I am using filebeat, here is my config of filebeat.yml
filebeat.prospectors:
- type: log
paths:
- '/XXX/access.log'
json.keys_under_root: true
processors:
- decode_json_fields:
fields: ["requestBody"]
target: ""
output.elasticsearch:
hosts: ["localhost:9200"]
the content of '/XXX/access.log is
{"requestBody": "{\"text\":\"message\",\"text1122\":\"message\"}"}
elasticsearch error message:
[2018-10-20T17:05:45,361][DEBUG][o.e.a.b.TransportShardBulkAction] [filebeat-6.4.2-2018.10.20][0] failed to execute bulk item (index) BulkShardRequest [[filebeat-6.4.2-2018.10.20][0]] containing [11] requests
org.elasticsearch.index.mapper.MapperParsingException: object mapping for [requestBody] tried to parse field [requestBody] as object, but found a concrete value
at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrNested(DocumentParser.java:357) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrField(DocumentParser.java:478) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.index.mapper.DocumentParser.parseValue(DocumentParser.java:608) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.index.mapper.DocumentParser.innerParseObject(DocumentParser.java:403) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrNested(DocumentParser.java:380) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.index.mapper.DocumentParser.internalParseDocument(DocumentParser.java:95) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.index.mapper.DocumentParser.parseDocument(DocumentParser.java:69) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.index.mapper.DocumentMapper.parse(DocumentMapper.java:263) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.index.shard.IndexShard.prepareIndex(IndexShard.java:725) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.index.shard.IndexShard.applyIndexOperation(IndexShard.java:702) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.index.shard.IndexShard.applyIndexOperationOnPrimary(IndexShard.java:682) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.bulk.TransportShardBulkAction.lambda$executeIndexRequestOnPrimary$2(TransportShardBulkAction.java:560) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.bulk.TransportShardBulkAction.executeOnPrimaryWhileHandlingMappingUpdates(TransportShardBulkAction.java:579) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.bulk.TransportShardBulkAction.executeIndexRequestOnPrimary(TransportShardBulkAction.java:558) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.bulk.TransportShardBulkAction.executeIndexRequest(TransportShardBulkAction.java:141) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.bulk.TransportShardBulkAction.executeBulkItemRequest(TransportShardBulkAction.java:247) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.bulk.TransportShardBulkAction.performOnPrimary(TransportShardBulkAction.java:124) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.bulk.TransportShardBulkAction.shardOperationOnPrimary(TransportShardBulkAction.java:111) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.bulk.TransportShardBulkAction.shardOperationOnPrimary(TransportShardBulkAction.java:73) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryShardReference.perform(TransportReplicationAction.java:1017) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryShardReference.perform(TransportReplicationAction.java:995) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.support.replication.ReplicationOperation.execute(ReplicationOperation.java:101) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.support.replication.TransportReplicationAction$AsyncPrimaryAction.onResponse(TransportReplicationAction.java:356) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.support.replication.TransportReplicationAction$AsyncPrimaryAction.onResponse(TransportReplicationAction.java:296) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.support.replication.TransportReplicationAction$1.onResponse(TransportReplicationAction.java:958) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.support.replication.TransportReplicationAction$1.onResponse(TransportReplicationAction.java:955) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.index.shard.IndexShardOperationPermits.acquire(IndexShardOperationPermits.java:271) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.index.shard.IndexShardOperationPermits.acquire(IndexShardOperationPermits.java:238) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.index.shard.IndexShard.acquirePrimaryOperationPermit(IndexShard.java:2249) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.support.replication.TransportReplicationAction.acquirePrimaryShardReference(TransportReplicationAction.java:967) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.support.replication.TransportReplicationAction.access$500(TransportReplicationAction.java:97) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.support.replication.TransportReplicationAction$AsyncPrimaryAction.doRun(TransportReplicationAction.java:317) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryOperationTransportHandler.messageReceived(TransportReplicationAction.java:292) [elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryOperationTransportHandler.messageReceived(TransportReplicationAction.java:279) [elasticsearch-6.4.2.jar:6.4.2]