Hi Roland, the old index template being used by Graylog 1.x isn't compatible anymore with Elasticsearch 2.x. Just delete the old graylog-internal template (see https://www.elastic.co/guide/en/elasticsearch/reference/2.2/indices-templates.html#delete) and restart Graylog. The new template will be created by Graylog on startup and everything should work as expected.
Cheers, Jochen On Thursday, 11 February 2016 11:03:04 UTC+1, Roland Hill wrote: > > > Hi list, > > Whilst I had migrated from 1.2.3 to 2.0, I experienced issues with > logstash not being able to create an index. Long story short, I deleted all > historical indexes (graylog and logstash) and "dropped" the graylog mongodb > database. > > Yes this is drastic, but this is a home system so all is okay :-) > > For background, I feed graylog messages from the logstash GELF output > plugin (successfully working with graylog 1.3.3 and ES 1.75). > > Now, whilst the logstash index problem has been resolved, I can't get > graylog to create an index in ES v2.2.0 and it appears to be related to a > "MappingParsingException". > > Log snippet is below: > > 2016-02-11 22:41:17,256 INFO : org.graylog2.indexer.Deflector - Did not > find an deflector alias. Setting one up now. > 2016-02-11 22:41:17,262 INFO : org.graylog2.indexer.Deflector - There is > no index target to point to. Creating one now. > 2016-02-11 22:41:17,278 INFO : org.graylog2.indexer.Deflector - Cycling > deflector to next index now. > 2016-02-11 22:41:17,279 INFO : org.graylog2.indexer.Deflector - Cycling > from <none> to <hill_log2_0> > 2016-02-11 22:41:17,279 INFO : org.graylog2.indexer.Deflector - Creating > index target <hill_log2_0>... > 2016-02-11 22:41:17,325 ERROR: org.graylog2.periodical.IndexRotationThread > - Couldn't point deflector to a new index > org.elasticsearch.index.mapper.MapperParsingException: Failed to parse > mapping [message]: Mapping definition for [_source] has unsupported > parameters: [compress : true] > at > org.elasticsearch.cluster.metadata.MetaDataCreateIndexService$1.execute(MetaDataCreateIndexService.java:332) > > ~[graylog.jar:?] > at > org.elasticsearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:45) > > ~[graylog.jar:?] > at > org.elasticsearch.cluster.service.InternalClusterService.runTasksForExecutor(InternalClusterService.java:458) > > ~[graylog.jar:?] > at > org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run(InternalClusterService.java:762) > > ~[graylog.jar:?] > at > org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:231) > > ~[graylog.jar:?] > at > org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:194) > > ~[graylog.jar:?] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > [?:1.8.0_60] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > [?:1.8.0_60] > at java.lang.Thread.run(Thread.java:745) [?:1.8.0_60] > Caused by: org.elasticsearch.index.mapper.MapperParsingException: Mapping > definition for [_source] has unsupported parameters: [compress : true] > at > org.elasticsearch.index.mapper.DocumentMapperParser.checkNoRemainingFields(DocumentMapperParser.java:171) > > ~[graylog.jar:?] > at > org.elasticsearch.index.mapper.DocumentMapperParser.checkNoRemainingFields(DocumentMapperParser.java:165) > > ~[graylog.jar:?] > at > org.elasticsearch.index.mapper.DocumentMapperParser.parse(DocumentMapperParser.java:148) > > ~[graylog.jar:?] > at > org.elasticsearch.index.mapper.DocumentMapperParser.parse(DocumentMapperParser.java:100) > > ~[graylog.jar:?] > at > org.elasticsearch.index.mapper.MapperService.parse(MapperService.java:435) > ~[graylog.jar:?] > at > org.elasticsearch.index.mapper.MapperService.merge(MapperService.java:272) > ~[graylog.jar:?] > at > org.elasticsearch.cluster.metadata.MetaDataCreateIndexService$1.execute(MetaDataCreateIndexService.java:329) > > ~[graylog.jar:?] > ... 8 more > > Can anyone offer any suggestions how I might debug this? Assuming its > something to do with the "logstash pipeline", I have reviewed all my > filters but nothing stands out to my somewhat untrained eye. > > Any pointers to get me looking in the right place would be appreciated. > > -- > Roland > > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/daf03b8f-db76-4968-b3d9-c93603918eca%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
