This Elasticsearch error: No handler for type [string] declared on field
is often seen after an “innocent” upgrade from Elasticsearch 5.x to 6.x. Classic sign is that the new indices do not get created.
I faced this error when using Serilog to push data into the Elasticsearch cluster after upgrade. It is frustrating as it bites you after the upgrade process, just when you thought everything is fine now. Thankfully it is easy to fix.
Although this error can be due to many reasons, mostly it has been reported by the people who used it for log analytics. Typically they will have clients creating daily, weekly or monthly indices automatically and pushing the logs into the same.
WHY
Elasticsearch 6.x release saw the removal of “string” type. If you have not read it then please do. If you have daily/weekly/monthly indices created periodically and after upgrade new indices are not getting created then you might have template issues.
Er…Templates what?
Though not mandated it is one the best practices to have mappings for the indices you have in Elasticsearch. Do not let your indices run feral. Use templates to manage the mappings for your indices.
Usually the libraries you use to create and put indices also create a template for it. Serilog does that. Template contains a pattern in it. The template will be applied to all the indices which match the pattern. So when it is time to create a new index say, log-batman-2019.01, the template (with pattern log-batman-*) will automatically be picked up to be applied over the index creation process. And here hell breaks loose.
The Elasticsearch 5.x templates have “string” type in it and your shiny new Elasticsearch 6.x does not know that. And you see
No handler for type [string] declared on field [something]
The index creation process fails.
HOW
Fix the templates. As simple as that. Change the type string to text and the Elasticsearch error will go away. Here are the templates created by Serilog for Elasticsearch 5.x on left and Elasticsearch 6.x on right. You can see the differences and make out the changes you need to push into your templates.
The good guys at Serilog also removed the now deprecated and soon to be removed _all. The long term stated goal of Elasticsearch guys is to do away with type in the indices all together. Serilog uses a type called logevent for the indices it creates. Here in the template I have modified, I have replaced default with type logevent. You can stick with suggested name _doc.
From the documentation:
Indices created in 6.x only allow a single-type per index. Any name can be used for the type, but there can be only one. The preferred type name is _doc, so that index APIs have the same path as they will have in 7.0: PUT {index}/_doc/{id} and POST {index}/_doc
To see the templates in your cluster, open up the Kibana and in dev window use the command
GET _template/
Once you find the template then list it out using the command
GET _template/log-batman-template
Then make needed changes. Essentially finding all the occurances of type string and converting them to text. And also change the value of corresponding index to true (in older 5.x templates it is analyzed). The other changes shown above in the picture are optional but recommended. Then overwrite the template using the command
PUT _template/log-batman-template { "order" : 0, .... .... .... .... }
Your Elasticsearch error should now go away and new indices should get created. Cheers.