Convert field containing a timestamp from string to a date / time or timestamp?

riahc3 · March 4, 2021, 3:22pm

Oh yeah sorry....Used a old screenshot

riahc3 · March 5, 2021, 2:12pm

I tried this:

But it errors:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "x_content_parse_exception",
        "reason" : "[5:3] [index_template] unknown field [mappings]"
      }
    ],
    "type" : "x_content_parse_exception",
    "reason" : "[5:3] [index_template] unknown field [mappings]"
  },
  "status" : 400
}

Thought that would have done the trick

aaron-nimocks · March 5, 2021, 2:17pm

Your structure looks wrong. Do a GET _index_template/ and you can see all the other templates and use the same structure they use.

If you are still having issues I would open a new topic with that specific error you are encountering.

riahc3 · March 5, 2021, 2:24pm

Yeah I see the structure but the issue is that I dont know which is the DEFAULT one that is being applied ..... Elastic Stack does not make that clear for some reason.

These are all the index templates I have after doing a GET _index_template/

In there, there should be one related to logstash correct?

riahc3 · March 5, 2021, 2:41pm

OK, I sorta figured it out

0: Stop logstash
1: Delete index data
2: Delete index pattern
3: Start logstash
4: Generate data
5: Generate index pattern
6: Open Dev Tools and

PUT _index_template/your-index-name-template
{
  "index_patterns": ["your-index-name--*"],
  "template": {
    "mappings": {
      "properties": {
        "OneFieldWithDate": {
          "type": "date"
        },
		 "AnotherFieldWithDate": {
          "type": "date"
        }
      }
    }
  }
}

6: See data added
7: Stop logstash
8: Delete Index data
9: Delete Kibana data
10: Open Dev Tools and

PUT _index_template/your-index-name-template
{
  "index_patterns": ["your-index-name--*"],
  "template": {
    "mappings": {
      "properties": {
        "OneFieldWithDate": {
          "type": "date"
        },
		 "AnotherFieldWithDate": {
          "type": "date"
        }
      }
    }
  }
}

11: Start logstash
12: Generate data
13: Create Kibana index

Now I am getting the field in date....

Way way way too weird

riahc3 · March 9, 2021, 4:54pm

I have been able to cut it down to less steps

Thats being said, I want to explore if there are other ways to do it: More specifically without deleting older data.

Ive thought about SQL where you can technically do a alter table and that allows you to change the column type.

Does anything like this exist for Elasticsearch indexes?

Badger · March 9, 2021, 5:04pm

Once a field type is set in elasticsearch it cannot be changed. You would need to create a new index, apply a template that sets the field types you want, then copy the data from the old index to the new. The reindex API might be useful for that.

riahc3 · March 9, 2021, 5:34pm

My indexes are created daily (for example: adlogins-2021-03-09, adlogins-2021-03-10, etc). Is there a way to do it this way?

system · April 6, 2021, 5:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.