Problems with dynamic mapping

I have some ECS formatted data that I want to put into a new data stream.

I created an index template with default parameters: (no setting, mappings or aliases) but when I try and put data into it using the ruby api I get errors:

es bulk 'create' record 0 mapping set to strict, dynamic introduction of [risk] within [_doc] is not allowed: on {:create=>{:data=>{"risk.static_level"=>"info", "server.ip"=>"130.216.159.78", "network.transport"=>"tcp", "server.port"=>"80", "server.domain"=>"coursebuilder-f5vip.cad.auckland.ac.nz", "server.as.number"=>"9431", "server.geo.country_iso_code"=>"NZ", "server.geo.region_name"=>"AUCKLAND", "server.geo.city_name"=>"AUCKLAND", "extra.server.naics"=>nil, "extra.hostname_source"=>"ptr", "extra.server.sector"=>"Education Services", "device.manufacturer"=>"F5", "extra.device.type"=>"load-balancer", "device.model.name"=>"BIG-IP", "extra.device.version"=>nil, "data_stream.dataset"=>"device_id"}}}

mappings tab shows

{
  "_routing": {
    "required": false
  },
  "numeric_detection": false,
  "dynamic_date_formats": [
    "strict_date_optional_time",
    "yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z"
  ],
  "dynamic": true,
  "_source": {
    "excludes": [],
    "includes": [],
    "enabled": true
  },
  "dynamic_templates": [],
  "date_detection": true
}

note dynamic is true.

when I look at the template summary is appears to have the ECS mapping ?

    "mappings": {
      "dynamic": "true",
      "dynamic_date_formats": [
        "strict_date_optional_time",
        "yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z"
      ],
      "dynamic_templates": [],
      "date_detection": true,
      "numeric_detection": false,
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "agent": {
          "properties": {
            "build": {
              "properties": {
                "original": {
                  "type": "keyword"
                }
              }
            },

where they came from I don't know.

I note that there is no top level risk element in the mappings

Any ideas why ES thinks "mapping set to strict"

sorted.

I forgot to delete the datastream after fiddling with the template. Doh!

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.