search

StamusNetworks / KTS6

Kibana 6 Templates for Suricata IDPS Threat Hunting
GNU General Public License v3.0
25 stars 6 forks source link

mapper_parsing_exception "failed to parse field [host] of type [text]" #9

Open opoplawski opened 5 years ago

opoplawski commented 5 years ago

Get lots of:

`` logstash[20807]: [2019-01-25T15:27:15,753][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-dns-2019.01.25", :_type=>"doc", :routing=>nil}, #], :response=>{"index"=>{"_index"=>"logstash-dns-2019.01.25", "_type"=>"doc", "_id"=>"gy1Wh2gBNsyAfm1OvkqE", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [host] of type [text]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:939"}}}}}



This seems to be because beats now use "host.ip"/"host.name" and so forth now - https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes-6.3.html
opoplawski commented 5 years ago

Hmm, this might be an issue with my using two different versions of beats (6.2.4 and 6.4.2).

opoplawski commented 5 years ago

Also see want seems to be caused by the opposite expectation for host:

logstash[6183]: [2019-01-25T15:31:54,917][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2019.01.25", :_type=>"doc", :routing=>nil}, #<LogStash::Event:0xfb3cfa0>], :response=>{"index"=>{"_index"=>"logstash-2019.01.25", "_type"=>"doc", "_id"=>"1i1bh2gBNsyAfm1OAHDO", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [host] tried to parse field [host] as object, but found a concrete value"}}}}
pevma commented 5 years ago

Do you use the SELKS5 ES/LS templates or your own custom ones ?

-- Regards, Peter Manev

On 26 Jan 2019, at 00:36, Orion Poplawski notifications@github.com wrote:

Also see want seems to be caused by the opposite expectation for host:

logstash[6183]: [2019-01-25T15:31:54,917][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2019.01.25", :_type=>"doc", :routing=>nil}, #], :response=>{"index"=>{"_index"=>"logstash-2019.01.25", "_type"=>"doc", "_id"=>"1i1bh2gBNsyAfm1OAHDO", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [host] tried to parse field [host] as object, but found a concrete value"}}}} — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.