I'm trying out the new machine learning module in x pack. I'm trying to identify rare response codes in HTTP Access logs in time. My logs are being stored in elasticsearch as below:
{
"_index": "logstash-2017.05.18",
"_type": "Accesslog",
"_id": "AVxvVfFGdMmRr-0X-J5P",
"_version": 1,
"_score": null,
"_source": {
"request": "/web/Q123/images/buttons/asdf.gif",
"server": "91",
"auth": "-",
"ident": "-",
"verb": "GET",
"type": "Accesslog",
"path": "/path/to/log",
"@timestamp": "2017-05-18T10:20:00.000Z",
"response": "304",
"clientip": "1.1.1.1",
"@version": "1",
"host": "ip-10-10-10-10",
"httpversion": "1.1",
"timestamp": "18/May/2017:10:20:00 +0530"
},
"fields": {
"@timestamp": [
1495102800000
]
}
I added a detector where I selected the function as 'rare' and the by_field_name' as 'response'. But when I save the job I get the following error:
Save failed: [illegal_argument_exception] Can't merge a non object mapping [response] with an object mapping [response]
Please help.
The error message means that you are trying to change an existing mapping. However, that is not possible in Elasticsearch. Once a mapping has been created, it cannot be changed.
As explained by Shay Banon himself:
You can't change existing mapping type, you need to create a new index with the correct mapping and index the data again.
So you must create a new index to create this mapping. Depending on the situation, you either
Of course in the latter case you will lose all data in the index, so prepare accordingly.