Can’t merge a non object mapping with an object mapping error in machine learning(beta) module

DS_1 picture DS_1 · Jun 8, 2017 · Viewed 11.6k times · Source

I'm trying out the new machine learning module in x pack. I'm trying to identify rare response codes in HTTP Access logs in time. My logs are being stored in elasticsearch as below:

{
  "_index": "logstash-2017.05.18",
  "_type": "Accesslog",
  "_id": "AVxvVfFGdMmRr-0X-J5P",
  "_version": 1,
  "_score": null,
  "_source": {
    "request": "/web/Q123/images/buttons/asdf.gif",
    "server": "91",
    "auth": "-",
    "ident": "-",
    "verb": "GET",
    "type": "Accesslog",
    "path": "/path/to/log",
    "@timestamp": "2017-05-18T10:20:00.000Z",
    "response": "304",
    "clientip": "1.1.1.1",
    "@version": "1",
    "host": "ip-10-10-10-10",
    "httpversion": "1.1",
    "timestamp": "18/May/2017:10:20:00 +0530"
  },
  "fields": {
    "@timestamp": [
      1495102800000
    ]
  }

I added a detector where I selected the function as 'rare' and the by_field_name' as 'response'. But when I save the job I get the following error:

Save failed: [illegal_argument_exception] Can't merge a non object mapping [response] with an object mapping [response]

Please help.

Answer

sleske picture sleske · Oct 27, 2017

The error message means that you are trying to change an existing mapping. However, that is not possible in Elasticsearch. Once a mapping has been created, it cannot be changed.

As explained by Shay Banon himself:

You can't change existing mapping type, you need to create a new index with the correct mapping and index the data again.

So you must create a new index to create this mapping. Depending on the situation, you either

  • create an additional index, or
  • delete the current index and re-create it from scratch.

Of course in the latter case you will lose all data in the index, so prepare accordingly.