I have a Graylog server setup with Elasticsearch and every so often when it creates a new index, I start getting indexer failure messages in Graylog. The error message type is “mapper_parsing_exception” and it is always associated with a winlogbeat_event_data_paramX (where X is a number). The error is because it is trying to parse the parameter as a Date type.
When I go and look at the mapping on the server the parameter is set as a Date type. However, when I look at the mapping of the previous index, the same parameter is set to the keyword type. My question is why is this changing when a new index rolls over, why won’t it just stay as a keyword?
I have searched online, but have come up with very little. I someone could shed some light on my situation it would be greatly appreciated.