Template issue

tgdesrochers · August 31, 2017, 11:36am

I am having some issues with my elastic template. When I added the IP fields I receive errors. If I remove them it works fine. Can someone shed light on what I am doing wrong.

I took the default template for logstash and edited it to create the one below. I am in no way a template guru.

Elasticsearch 5.4
Logstash 5.4

Error:

[2017-08-31T07:27:56,794][WARN ][logstash.outputs.elasticsearch] Failed action. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"network-data-2017.08.31", :_type=>"eventlog", :_routing=>nil}, 2017-08-31T11:27:52.564Z 10.206.140.219 %{message}], :response=>{"index"=>{"_index"=>"network-data-2017.08.31", "_type"=>"eventlog", "_id"=>"AV44DDFnG5N1_N_4xbGQ", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [false] of different type, current_type [date], merged_type [text]"}}}}

Template:

{
  "order": 0,
  "version": 1,
  "template": "network-data-*",
  "settings": {
    "index": {
      "refresh_interval": "5s",
      "number_of_shards": "2",
      "number_of_replicas":"1"
    }
  },
  "mappings": {
    "_default_": {
      "dynamic_templates": [
        {
          "message_field": {
            "path_match": "message",
            "mapping": {
              "norms": false,
              "type": "text"
            },
            "match_mapping_type": "string"
          }
        },
        {
          "string_fields": {
            "mapping": {
              "norms": false,
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword"
                }
              }
            },
            "match_mapping_type": "string",
            "match": "*"
          }
        }
      ],
      "_all": {
        "norms": false,
        "enabled": true
      },
      "properties": {
        "@timestamp": {
          "copy_to": false,
          "type": "date"
        },
        "Src_geoip": {
          "dynamic": true,
          "properties": {
            "ip": {
              "type": "ip"
            },
            "latitude": {
              "type": "half_float"
            },
            "location": {
              "type": "geo_point"
            },
            "longitude": {
              "type": "half_float"
            }
          }
        },
        "Dst_geoip": {
          "dynamic": true,
          "properties": {
            "ip": {
              "type": "ip"
            },
            "latitude": {
              "type": "half_float"
            },
            "location": {
              "type": "geo_point"
            },
            "longitude": {
              "type": "half_float"
            }
          }
        },
        "SourceIp": {
          "type": "ip"
        },
        "DestinationIp": {
          "type": "ip"
        },
        "IpAddress": {
          "type": "ip"
        },
        "Ipaddress": {
          "type": "ip"
        },
        "@version": {
          "copy_to": false,
          "type": "keyword"
        }
      }
    }
  },
  "aliases": {}
}

system · September 28, 2017, 11:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.