object mapping for [host] tried to parse field [host] as object, but found a concrete value #35
Comments
|
Hmmm, the UDP input sets a Your best bet for now is probably to add a I'll open an issue on UDP input to move to a more ECS friendly location for the hostname. |
|
🙂 Glad to hear it's not a config error on my side.. I'll test your suggestion asap. |
|
Coincidentally, I opened a PR yesterday to fix this: logstash-plugins/logstash-input-udp#41 |
|
Filed issue logstash-plugins/logstash-input-udp#42 for this. |
|
Adding solved my issue. Thanks. I'll go ahead and close this. Tx @webmat @praseodym |
|
Hi, object mapping for [requestnode] tried to parse field [null] as object, but found a concrete value But a simple renaming of the field from 'requestnode' to 'request_node' solves the problem. Why is that? Is requestnode a special keyword for elastic? I've had the same error for multiple such fields before and every time just renaming it solved the issue. But weird thing is that the same field name has been working all along. And now suddenly elasticsearch throws out error for a new document. Why is that? And why does putting a _ in the field name makes the error vanish? |
|
I apologize for the inconvenience, but this is an Elasticsearch usage question, and should be GitHub should be used for reporting bugs, suggesting improvement and opening pull requests. |
|
For those who are facing the same issue, Here is how we solved it Interesting observation is the location of |
I don't understand where this yaml-like markup you wrote is applied. It cannot be applied in Kibana Dev Tools for ElasticSearch because that uses JSON format. |
That is a Filebeat config (using the rename processor). |
Is this because logstash sends data to elastic and the ip is ipv6? After adding this filter, there is no ip, logstash cannot parse ipv6, I guess |
|
@haoqi123 No, when this issue was originally opened the The If you have any other questions or issues, feel free to open another issue or a topic thread over on discuss.elastic.co. |
|
增加这个就没用报错了 |
Hello,
When I try to use this f5ecs template where I integrated the ecs fields I think I will need:
I get Logstash errors like:
[2018-07-06T15:46:38,453][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"f5-002-2018.07.06", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x2373a721>], :response=>{"index"=>{"_index"=>"f5-002-2018.07.06", "_type"=>"doc", "_id"=>"hGDYb2QBpfUnuaeQN_7m", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [host] tried to parse field [host] as object, but found a concrete value"}}}}And my pipeline:
the f5 template for f5-001-* still has a 'host' field, but shouldn't interfer as the my new f5ecs template applies to a different index?. I'm not sure what's going wrong here, will have to investigate further, but I thought I throw it in here, it might be related to the way I refer to the host object in my pipeline?
The text was updated successfully, but these errors were encountered: