Hi. I wanna have sum of network usage per client in nginx. This is the logstash before changes:
grok { match => { "message" => "%{IP:clientip} ... %{NUMBER:bytes}" } }
so at first I changed the NUMBER to INT:
grok { match => { "message" => "%{IP:clientip} ... %{INT:bytes}" } }
but it didn't work and in elasticsearch it's still text format and unable to do sum on it.
I added this line:
mutate { convert => ["bytes", "integer"] }
but it's not working yet. Do I need to delete index ? I prefer not to delete it.
this is logstash output:
output {
elasticsearch {
hosts => ["localhost"]
manage_template => true
ilm_enabled => false
index => "logstash-%{+YYYY.MM.dd}"
}
}
This is elasticsearch mapping:
"bytes": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
or can I use PUT command to change the "bytes" format ?
Thanx
You can convert that in grok using
%{NUMBER:bytes:int}
However, since you have already indexed that field as text elasticsearch will convert int to text as it is indexed. You will need to re-index.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.