Just found this problem. Looks like my default graylog index can’t be rotated. When I try, I get this message in the server log:
2019-02-08T15:35:35.469-05:00 WARN [Indices] Couldn’t create index graylog_1509. Error: {“root_cause”:[{“type”:“mapper_parsing_exception”,“reason”:“Failed to parse mapping [message]: Could not convert [cs-bytes.index] to boolean”}],“type”:“mapper_parsing_exception”,“reason”:“Failed to parse mapping [message]: Could not convert [cs-bytes.index] to boolean”,“caused_by”:{“type”:“illegal_argument_exception”,“reason”:“Could not convert [cs-bytes.index] to boolean”,“caused_by”:{“type”:“illegal_argument_exception”,“reason”:“Failed to parse value [not_analyzed] as only [true] or [false] are allowed.”}}}
I remember the field cs-bytes from a long time ago. It should contain a number. When I run this command:
This field isn’t used anymore. Is there a way to delete it from elasticsearch? I’m not sure why an attempt is being made to convert it to a boolean value
Yes, I updated elasticsearch to 6.5.4-1 a few weeks ago, which is when the indices appear to have stopped rotating. At the time, I checked to be sure that the idices were the correct version, and could be upgraded. Graylog has been working fine since the upgrade, but I didn’t notice until now that the rotation had stopped. No error messages in the console
I didn’t remember having a custom mapping that contained the problem field of cs-byte. I thought it was dynamically created. I ran the following command, hoping to list all custom index mapping files, and sure enough… I found an old mapping that contained cs-byte.
curl -X GET 'http://localhost:9200/_template/*?pretty'
I then ran the following command to delete the old custom mapping, and after doing so I was able to manually rotate the index
