Change mapping question

peterch · December 6, 2017, 3:31am

Dear All,

I would like change one of the field type from "text" to "IP" for geoip use but fail. May i know how to do that. Thanks

GET /syslog/_mapping
{
"syslog": {
"mappings": {
"doc": {
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Description": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Destination IP": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Destination Port": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Signature ID": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Signature IS": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Signature Name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Signature Severity": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Source IP": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
}
}

Tried to change source IP type from text to IP by following
PUT /syslog
{
"properties": {
"Destination IP": {
"type": "IP",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}

Result

{
"error": {
"root_cause": [
{
"type": "illegal_argument_exception",
"reason": "unknown setting [index.properties.Destination IP.fields.keyword.ignore_above] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"
}
],
"type": "illegal_argument_exception",
"reason": "unknown setting [index.properties.Destination IP.fields.keyword.ignore_above] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"
},
"status": 400
}

mujtabahussain · December 6, 2017, 4:35am

This section is particularly relevant from here, even though the post is old.

Elasticsearch (and Lucene) stores its indices in immutable segments — each segment is a “mini" inverted index. These segments are never updated in place. Updating a document actually creates a new document and marks the old document as deleted. As you add more documents (or update existing documents), new segments are created. A merge process runs in the background merging several smaller segments into a new big segment, after which the old segments are removed entirely.

Typically, an index in Elasticsearch will contain documents of different types. Each _type has its own schema or mapping. A single segment may contain documents of any type. So, if you want to change the field definition for a single field in a single type, you have little option but to reindex all of the documents in your index.

It's far easier to simply add a new field with the correct mapping and then send the data to it.

peterch · December 7, 2017, 3:33am

Thanks for your reply. I success to change type after delete the mapping and PUT again. However, the old data cannot search

system · January 4, 2018, 3:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Changing mapping type to IP Elasticsearch	2	358	August 15, 2019
How to Map IP type Elasticsearch	2	627	February 6, 2018
Can't change index field mapping to geo_ip Elasticsearch	14	2238	March 9, 2017
How to change the default type Elasticsearch	10	1419	April 20, 2018
Change the default mapping Elasticsearch	10	1681	July 5, 2017

Change mapping question

Related topics