Elasticsearch Object Mapping Import Error

So, you decided you want to try to import logs manually into some version of an ELK stack, or maybe just directly into Elasticsearch. I hope it’s going better for you than it has for me.

Though, I guess it’s probably not since you’ve found your way here.

When importing you may end up with an error like the one below (replace “id” with whatever field it is that you’re having problems with).

object mapping for [id] tried to parse field [id] as object, but found a concrete value

This basically means that your import can’t continue because there’s some type of conflict where there’s some text inside your data that appears as an id field (or again, whatever field you’re getting an error on) but probably isn’t actually that type of field.

In my last case, this was related to log messages around certificates those errors appeared within the greater log message and had an id field associated.

THE SOLUTION: In short, you’ll need to update the subject field (id in my case) to another field name that doesn’t conflict. What I did was to search through the entire file for the string ,"id": because that was the most unique part of what I found and replace it with ,"ca_id":, this update allowed the import to proceed.

NOTE: You might also be able to use other import parsing solutions like mappings on the receiving end to allow logstash or elasticsearch to handle the confusing data. That is something I have not yet done.