Change mapping question

peterch · December 6, 2017, 3:31am

Dear All,

I would like change one of the field type from "text" to "IP" for geoip use but fail. May i know how to do that. Thanks

GET /syslog/_mapping
{
"syslog": {
"mappings": {
"doc": {
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Description": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Destination IP": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Destination Port": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Signature ID": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Signature IS": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Signature Name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Signature Severity": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Source IP": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
}
}

Tried to change source IP type from text to IP by following
PUT /syslog
{
"properties": {
"Destination IP": {
"type": "IP",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}

Result

{
"error": {
"root_cause": [
{
"type": "illegal_argument_exception",
"reason": "unknown setting [index.properties.Destination IP.fields.keyword.ignore_above] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"
}
],
"type": "illegal_argument_exception",
"reason": "unknown setting [index.properties.Destination IP.fields.keyword.ignore_above] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"
},
"status": 400
}

mujtabahussain · December 6, 2017, 4:35am

This section is particularly relevant from here, even though the post is old.

Elasticsearch (and Lucene) stores its indices in immutable segments — each segment is a “mini" inverted index. These segments are never updated in place. Updating a document actually creates a new document and marks the old document as deleted. As you add more documents (or update existing documents), new segments are created. A merge process runs in the background merging several smaller segments into a new big segment, after which the old segments are removed entirely.

Typically, an index in Elasticsearch will contain documents of different types. Each _type has its own schema or mapping. A single segment may contain documents of any type. So, if you want to change the field definition for a single field in a single type, you have little option but to reindex all of the documents in your index.

It's far easier to simply add a new field with the correct mapping and then send the data to it.

peterch · December 7, 2017, 3:33am

Thanks for your reply. I success to change type after delete the mapping and PUT again. However, the old data cannot search

Topic		Replies	Views
Can't change a field type Elasticsearch	4	2173	April 15, 2021
Mapping Value is not changing after updating Elasticsearch	3	377	August 14, 2020
How can I change an existing field type using Python? Elasticsearch	4	3823	December 14, 2018
How to change the mappings of an index in python itself? Elasticsearch	3	545	January 4, 2023
How to update a field type of existing index in Elasticsearch Elasticsearch	13	133602	July 5, 2017

Change mapping question

Related topics