Can't change a field type

msieumouche · March 16, 2021, 2:03pm

Hello everyone,

I have a stack with ELK and wazuh, I'm looking to change the type of some fields ("keyword" to "ip") to personal fields (srcip, dstip, etc.)

Their search fields in kibana are data.srcip, etc.

I tried this query in the dev tools:

PUT /wazuh-alerts-*/_mapping
{
  "properties": {
    "data" : {
      "properties": {
        "dstip": {
          "type": "ip"
        }
      }
    }
  }
}

And I get this

{
  "error" : {
    "root_cause" : [
      {
        "type" : "illegal_argument_exception",
        "reason" : "mapper [data.dstip] cannot be changed from type [keyword] to [ip]"
      }
    ],
    "type" : "illegal_argument_exception",
    "reason" : "mapper [data.dstip] cannot be changed from type [keyword] to [ip]"
  },
  "status" : 400
}

Does anyone have a solution?

Thanks

Christian_Dahlqvist · March 18, 2021, 5:41am

You can not change existing mappings in Elasticsearch so you will need to create a new index with the updated mappings, e.g. through an index template, and then reindex your data into this.

msieumouche · March 18, 2021, 7:55am

thanks to you,

I have however found in: "Stack Management/Index Management/Templates/Edit Template".

A section in the web interface allowing me to change the type of my mapping.

Bye bye.

Christian_Dahlqvist · March 18, 2021, 7:57am

That will only apply to newly created indices, not existing ones. As data ages out it will however over time resolve the issue.

system · April 15, 2021, 7:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.