Unable to update existing index even though sincedb is deleted

Gunjan_Gupta · April 25, 2016, 11:01am

Step :
Initial Logstash.conf file:

input {
file {
path => "C:\Users\Downloads\logstash-tutorial.log\logstash-tutorial-dataset"
start_position => beginning
ignore_older => 0
}
}

filter {

grok {
    match => { "message" => "%{COMBINEDAPACHELOG}"}

}

geoip {
source => "clientip"
}

mutate {
convert => ["@version","integer"]
convert => ["host","integer"]
}

}

output {
elasticsearch {
action => "index"
codec => "json"
index => "perfmondataindexgraphana11"
}
}
Result: Index created successfully

After this I commented " convert => ["host","integer"] " and then deleted sincedb file before running updated logstash.conf file.

Result: Got an error unable to parse field "host"

Error stack:

ex"=>"perfmondataindexgraphana11", "_type"=>"logs", "_id"=>"AVRNA4UBRi1p7WBX9LgO
", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"faile
d to parse [host]", "caused_by"=>{"type"=>"number_format_exception", "reason"=>"

magnusbaeck · April 25, 2016, 8:00pm

That error message is incomplete, but it indicates that ES wants the host field to be an integer but the document you're trying to index doesn't contain an integer in that field.

Gunjan_Gupta · April 26, 2016, 6:10am

I know the reason as it was happened because I have commented "host" field while updating logstash.conf but my question is that why i am unable to update same index index => "perfmondataindexgraphana11" as whatever i am sending by using this config should not given me this error.
Or is it like that we cannot update same index and need to create new index if i am updating any field.

magnusbaeck · April 26, 2016, 4:39pm

You can certainly update an existing index but you can't change the type mappings.

Gunjan_Gupta · May 1, 2016, 10:37am

Thanks! Back for quick reply.