I am getting warnings in the logstash logs that it cant export to elasticsearch. This is probably an issue with a template, but I don't know where to start troubleshooting or which application the problem is actually with. The warning is regarding GeoIP postal codes, and what look like canadian postal codes it fails to parse.
Warning message:
Any help is appreciated.
What is the mapping on the DestinationIPGeo.postal_code field?
I apologize, I am new to ELK stack. If you mean from the template, I do not appear to have a mapping for postal_code.
I ran the following command:
curl -XGET 'localhost:9200/_template/traffic?pretty'
This is the output for that section:
Try curl -XGET 'localhost:9200/traffic/_mapping?pretty'.
The output does include a postal_code mapping. I dont need postal codes, can that be removed or do I need to change the type? Either way, how can I modify this?
Thank you!
If you don't need it then you can remove it in Logstash, that is the field that is generating the error.
Where is that template physically located, or how do I modify it? I will just remove that section, if I can find how to edit it.
If you don't want the field at all, then use mutate+remove field.
If you want to remove it from the template, then you are better off fixing the underlying issue, which is a bit more involved.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.