6

We send logs from a variety of services running in a Kubernetes cluster to Elasticsearch via Filebeat. Some of these services we develop ourselves, others are third-party. We use dynamic mapping in our indices. We've hit an issue where sometimes a field used by logs from one service happens to share the same name with logs from a difference service, and the type of data in that field is different. For example, in logs from one service, the url field might be a string, but in another, it might be a structured object. We then get errors ingesting the logs, saying:

{
  "type": "mapper_parsing_exception",
  "reason": "object mapping for [url] tried to parse field [url] as object, but found a concrete value"
}

What strategies might we use to get around these collisions?

Improve this question
1
  • 1
    (Turns out in this particular case the collision is with the default index template set up by Filebeat, but the broader question still stands) Commented Jul 21, 2021 at 7:13
Related questions
3
Logstash single input and multiple output
0
Combining log entries with logstash
2
Filebeat and LogStash -- data in multiple different formats
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.