failed to parse field [event.host] of type [keyword]

Question

failed to parse field [event.host] of type [keyword]

xisafe opened this issue 5 years ago · 6 comments

ELK FILEBEAT 6.4.2

[WARN ] 2019-04-08 15:37:37.272 [Ruby-0-Thread-19: :1] elasticsearch - Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"suricata-1.0.1-2019.04.08", :_type=>"doc", :routing=>nil}, #LogStash::Event:0x15177b81], :response=>{"index"=>{"_index"=>"suricata-1.0.1-2019.04.08", "_type"=>"doc", "_id"=>"ZhDh-2kB5FeKoMpssAt5", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [event.host] of type [keyword]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:220"}}}}}

adziubin commented 5 years ago

"+"

Answer 1 · 2019-04-11T16:03:50.000Z

Same here, how can I fix it?

Answer 2 · 2019-04-16T10:37:20.000Z

“+”

同样在这里，我该如何解决？

use filebeat 6.2

Answer 3 · 2019-04-16T10:37:53.000Z

@misheher @adziubin use filebeat 6.2 elk 6.2

Answer 4 · 2019-04-29T09:30:43.000Z

update "[host]" => "[event][host]"
to "[host][hostname]" => "[event][host]"

Answer 5 · 2019-05-31T12:18:00.000Z

Release v1.1.0 supports Elastic Stack 7.x and has fixed this issue.