Elasticsearch Dynamic Field Mapping and JSON Dot Notation

I opted to use the Logstash mutate filter with the rename option as described here:

https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html#plugins-filters-mutate-rename

The end result looked something like this:

filter {  mutate {    '[kubernetes][labels][app]'   => '[kubernetes][labels][app.kubernetes.io/name]'    '[kubernetes][labels][chart]' => '[kubernetes][labels][helm.sh/chart]'  }}

Although personally I've never encountered the exact same issue, I had similar problems when I indexed some test data and afterwards changed the structure of the document that should have been indexed (especially when "unflattening" data structures).

Your interpretation of the error message is correct. When you first index the document

{  "log": "This is another log message.",  "kubernetes": {    "labels": {      "app.kubernetes.io/name": "application-2"    }  }}

Elasticsearch will recognize the app as an object/structure due to dynamic mapping.

When you then try to index the document

{  "log": "This is a log message.",  "kubernetes": {    "labels": {      "app": "application-1"    }  }}

the previously, dynamically created mapping defined the field app as an object with sub-fields but elasticsearch encounters a concrete value, namely "application-1".

I suggest that you setup an index template to define the correct mappings. For the 'outdated' logging-versions I suggest to pre-process the particular documents either through an elasticsearch ingest-pipeline or with e.g. Logstash to get the documents in the correct format.

Hope that helps.