I have some ECS formatted data that I want to put into a new data stream.
I created an index template with default parameters: (no setting, mappings or aliases) but when I try and put data into it using the ruby api I get errors:
es bulk 'create' record 0 mapping set to strict, dynamic introduction of [risk] within [_doc] is not allowed: on {:create=>{:data=>{"risk.static_level"=>"info", "server.ip"=>"130.216.159.78", "network.transport"=>"tcp", "server.port"=>"80", "server.domain"=>"coursebuilder-f5vip.cad.auckland.ac.nz", "server.as.number"=>"9431", "server.geo.country_iso_code"=>"NZ", "server.geo.region_name"=>"AUCKLAND", "server.geo.city_name"=>"AUCKLAND", "extra.server.naics"=>nil, "extra.hostname_source"=>"ptr", "extra.server.sector"=>"Education Services", "device.manufacturer"=>"F5", "extra.device.type"=>"load-balancer", "device.model.name"=>"BIG-IP", "extra.device.version"=>nil, "data_stream.dataset"=>"device_id"}}}
mappings tab shows
{
"_routing": {
"required": false
},
"numeric_detection": false,
"dynamic_date_formats": [
"strict_date_optional_time",
"yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z"
],
"dynamic": true,
"_source": {
"excludes": [],
"includes": [],
"enabled": true
},
"dynamic_templates": [],
"date_detection": true
}
note dynamic is true.
when I look at the template summary is appears to have the ECS mapping ?
"mappings": {
"dynamic": "true",
"dynamic_date_formats": [
"strict_date_optional_time",
"yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z"
],
"dynamic_templates": [],
"date_detection": true,
"numeric_detection": false,
"properties": {
"@timestamp": {
"type": "date"
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"type": "keyword"
}
}
},
where they came from I don't know.
I note that there is no top level risk element in the mappings
Any ideas why ES thinks "mapping set to strict"