object mapping for [ModifiedProperties]

[borg333]

i have this in beat's log Nov 25 11:10:00 logstash logstash[103730]: [2019-11-25T11:10:00,543][WARN ][logstash.outputs.elasticsearch][main] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"o365-2019.11.25", :_type=>"_doc", :routing=>nil}, #<LogStash::Event:0x322ca0c8>], :response=>{"index"=>{"_index"=>"o365-2019.11.25", "_type"=>"_doc", "_id"=>"7jycoW4BRbr-kt3SOEWj", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [ModifiedProperties] tried to parse field [null] as object, but found a concrete value"}}}} and i dont know, its a logs problem or beat?

[chris-counteractive]

Thanks for the question, @borg333. We did see this issue (#14) and implemented a fix in v1.4.2. Are you using that latest version? If not, the fix is actually done in the config file, you could add the following line in your o365beat.yml:

processors:
  # all the rest of your existing processors section
  - convert:
      fields:
        # all the rest of your other convert.fields section
        - {from: ModifiedProperties, type: string}

If this doesn't fix the error, please let me know. I'll keep this open until we get your issue resolved. Thanks!

[borg333]

@chris-counteractive o365beat is latest version and conf that you prived is already in yml

[borg333]

seems ok now after creating a new index but new issue exists.