Hi,
I have an issue which is preventing the data collected by dockbeat to be sent successfully to elasticsearch. One of the key fields under containerLabels has a datetime format which is not captured by elasticsearch by default e.g.
{ "key": "build-date", "value": "2017-10-12T15:15:58.430231" }
I have tried to use the template file to explicitly refer to all containerLabels entries as string but this seems to be ignored on the elasticsearch end. Is there a way for me to configure a specific key under containerLabels to be a dateformat of my choosing, or is there a way to intercept the formating of the containerLabel fields?
Excerpt of dockbeat.yml
# A template is used to set the mapping in Elasticsearch
# By default template loading is disabled and no template is loaded.
# These settings can be adjusted to load your own template or overwrite existing ones
template:
# Template name. By default the template name is dockbeat.
name: \"dockbeat\"
# Path to template file
path: \"/opt/dockbeat/dockerbeat.template.json\"
# Overwrite existing template
overwrite: true
Excerpt of dockerbeat.template.json
{ "mappings": { "_default_": { "_all": { "enabled": true, "norms": { "enabled": false } }, "dynamic_templates": [ { "template1": { "mapping": { "doc_values": true, "ignore_above": 1024, "index": "not_analyzed", "type": "{dynamic_type}" }, "match": "*" } } ], "properties": { "@timestamp": { "type": "date" }, "containerLabels":{ "properties":{ "key":{ "type": "string" }, "value":{ "type": "string" } } },
Excerpt of error logged by Dockbeat
2017/12/07 03:15:23.863378 client.go:271: INFO Bulk item insert failed (i=49, status=500): {"type":"class_cast_exception","reason":"org.elasticsearch.index.mapper.TextFieldMapper cannot be cast to org .elasticsearch.index.mapper.DateFieldMapper"} 2017/12/07 03:15:23.863390 single.go:78: INFO Error publishing events (retrying): temporary bulk send failure
Hi,
I have an issue which is preventing the data collected by dockbeat to be sent successfully to elasticsearch. One of the key fields under containerLabels has a datetime format which is not captured by elasticsearch by default e.g.
{ "key": "build-date", "value": "2017-10-12T15:15:58.430231" }I have tried to use the template file to explicitly refer to all containerLabels entries as string but this seems to be ignored on the elasticsearch end. Is there a way for me to configure a specific key under containerLabels to be a dateformat of my choosing, or is there a way to intercept the formating of the containerLabel fields?
Excerpt of dockbeat.yml
Excerpt of dockerbeat.template.json
{ "mappings": { "_default_": { "_all": { "enabled": true, "norms": { "enabled": false } }, "dynamic_templates": [ { "template1": { "mapping": { "doc_values": true, "ignore_above": 1024, "index": "not_analyzed", "type": "{dynamic_type}" }, "match": "*" } } ], "properties": { "@timestamp": { "type": "date" }, "containerLabels":{ "properties":{ "key":{ "type": "string" }, "value":{ "type": "string" } } },Excerpt of error logged by Dockbeat
2017/12/07 03:15:23.863378 client.go:271: INFO Bulk item insert failed (i=49, status=500): {"type":"class_cast_exception","reason":"org.elasticsearch.index.mapper.TextFieldMapper cannot be cast to org .elasticsearch.index.mapper.DateFieldMapper"} 2017/12/07 03:15:23.863390 single.go:78: INFO Error publishing events (retrying): temporary bulk send failure