"reason"=>"object mapping for [host] tried to parse field [host] as object, but found a concrete value"

BlackCat · April 21, 2021, 6:42am

Please how to do resolve.

Logstash outputs below error log.

[2021-04-21T15:31:47,803][WARN ][logstash.outputs.elasticsearch][＜pipeline.id＞][b0981f4f69ba05c595e4bfce70b5e813c0b082207400c67bd72b366d2d36ba65] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"server_log_2021", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0x2c68b9c>], :response=>{"index"=>{"_index"=>"server_log_2021", "_type"=>"_doc", "_id"=>"u6kg83gBU2gZoWhPq95O", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [host] tried to parse field [host] as object, but found a concrete value"}}}}

Data flow is below.
Filebeat → Logstash → Elasticsearch

Version is all 7.12.

Anabella_Cristaldi · April 21, 2021, 7:01am

Hi,
Maybe This can help

BlackCat · April 21, 2021, 8:18am

I tried this.
But result is no change.

I attached mapping information of "host" at Elasticsearch.
キャプチャ

Anabella_Cristaldi · April 21, 2021, 8:48am

and how do you reference/treat the host field in logstash?

BlackCat · April 21, 2021, 9:53am

I using below config of logstash.

input {
   tcp {
     port => ＜port number＞
codec => line { charset => "Shift_JIS" }
   }
}

filter {
 if "＜server ip＞" in [host][ip] {

      mutate {
       rename => { "message" => "Message" }
       add_field => { "Host" => "＜I using hope hostname.＞" }
      }

 }
}

Anabella_Cristaldi · April 21, 2021, 10:09am

I see... the host is defined as an object in the mapping.
What happens if you use this

add_field => { "[host][name]" => "＜I using hope hostname.＞" }

instead of
add_field => { "Host" => "＜I using hope hostname.＞" }

In this way you will be using the ECS host fields

system · May 19, 2021, 10:10am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.