Integration Name
Teleport [packages/teleport]
Dataset Name
No response
Integration Version
1.6.0
Agent Version
9.2.6
Agent Output Type
elasticsearch
Elasticsearch Version
9.2.6
OS Version and Architecture
RHEL 9.7 (amd64)
Software/API Version
No response
Error Message
illegal_argument_exception: can't merge a non object mapping [teleport.audit.kubernetes_labels.cluster] with an object mapping
Event Original
No response
What did you do?
Ingested Teleport audit events from a Kubernetes cluster using CoreWeave infrastructure. These events include a label with the key cluster.coreweave.cloud/type alongside a plain string cluster label within teleport.audit.kubernetes_labels.
What did you see?
The dot_expander processor attempts to expand cluster.coreweave.cloud/type into a nested object under cluster, but cluster already exists as a plain string in the same document, causing a type conflict. The same collision can also occur in teleport.audit.kubernetes.labels and teleport.audit.server.labels.
What did you expect to see?
The pipeline should handle label keys containing dots that would collide with existing plain string keys, either by sanitizing the dotted key before the dot_expander runs or by skipping expansion for keys that would produce a type conflict.
Anything else?
Current workaround
Applying a Painless script in a logs-teleport.audit@custom pipeline to sanitize the label keys before they reach the dot_expander.
Integration Name
Teleport [packages/teleport]
Dataset Name
No response
Integration Version
1.6.0
Agent Version
9.2.6
Agent Output Type
elasticsearch
Elasticsearch Version
9.2.6
OS Version and Architecture
RHEL 9.7 (amd64)
Software/API Version
No response
Error Message
Event Original
No response
What did you do?
Ingested Teleport audit events from a Kubernetes cluster using CoreWeave infrastructure. These events include a label with the key cluster.coreweave.cloud/type alongside a plain string cluster label within teleport.audit.kubernetes_labels.
What did you see?
The dot_expander processor attempts to expand cluster.coreweave.cloud/type into a nested object under cluster, but cluster already exists as a plain string in the same document, causing a type conflict. The same collision can also occur in teleport.audit.kubernetes.labels and teleport.audit.server.labels.
What did you expect to see?
The pipeline should handle label keys containing dots that would collide with existing plain string keys, either by sanitizing the dotted key before the dot_expander runs or by skipping expansion for keys that would produce a type conflict.
Anything else?
Current workaround
Applying a Painless script in a logs-teleport.audit@custom pipeline to sanitize the label keys before they reach the dot_expander.