search

cleesmith / unifiedbeat

Unifiedbeat reads records from Unified2 binary files generated by network intrusion detection software and indexes the records in Elasticsearch.
MIT License
30 stars 14 forks source link

Unable to load unifiedbeat.template.json #16

Open kravietz opened 5 years ago

kravietz commented 5 years ago

Per original instructions in README:

$ curl -XPUT 'http://localhost:9200/_template/unifiedbeat' -d@unifiedbeat.template.json
{"error":"Content-Type header [application/x-www-form-urlencoded] is not supported","status":406}

Trying to force JSON:

$ curl -XPUT 'http://localhost:9200/_template/unifiedbeat' --data "$(cat unifiedbeat.template.json)"
-H Content-Type:application/json
{"error":{"root_cause":[{"type":"parse_exception","reason":"Failed to parse content to map"}],
"type":"parse_exception","reason":"Failed to parse content to map",
"caused_by":{"type":"json_parse_exception","reason":"Duplicate field 'input_type'\n at [Source: org.elasticsearch.transport.netty4.ByteBufStreamInput@662adc31; line: 231, column: 21]"}},"status":400}

That's with ElasticSearch 6.5.4 on Ubuntu 18.

kravietz commented 5 years ago

Seems to be caused by this backwards-incompatible change in ElasticSearch - Removal of mapping types. Essentially, the whole template is no longer compatible with ES6+.