Hello,
I have only recently discovered the field datatype 'ip' I have most of the my IP addresses labeled as 'src_ip' looking at the current data type it's a 'string'.
Deep down I realise the answer will be re-index the data. Unfortunately I can't just delete all the indexes on a production system. Is there a way to reindex the current data from elastic itself - Is the process documented anywhere.
Thanks
Cam
Hi,
AFAIK, you need to reindex your data with a new mapping. You can use the following API:
https://www.elastic.co/guide/en/elasticsearch/reference/6.4/docs-reindex.html
bye,
Xavier
So knowing that I need to reindex my data, what else do I need to do to achieve the correct mapping moving forward?
Considering that I have 4 current index patterns, eg. logstash-, firewall-, syslog-, docker-
I'm tempted to set the default index-template. Does this have any repercussions?
So to correct the fieldtype is this the order of events?
Anything else?
Thanks in advance
Hi,
I would suggest to modify only templates you need. If they all depend of the default one, why not, but you have to be careful. Mabye you can test on the logstash one in a first time ?
The plan is:
Hope it helps
So I'm attempting to use a dynamic template, this is it here:
GET /_template/mylogstash
{
"my_logstash": {
"order": 1000,
"index_patterns": [
"logstash-*",
"firewall-*"
],
"settings": {},
"mappings": {
"_default_": {
"dynamic_templates": [
{
"dest_ip": {
"path_match": "dest_ip",
"mapping": {
"type": "ip"
}
}
},
{
"dst_ip": {
"path_match": "dst_ip",
"mapping": {
"type": "ip"
}
}
},
{
"src_ip": {
"path_match": "src_ip",
"mapping": {
"type": "ip"
}
}
}
]
}
},
"aliases": {}
}
}
Even using a regular non-dynamic template, Kibana? fails to set the type as 'ip'
Example: normal template:
{
"order": 1000,
"index_patterns": [
"logstash-*",
"firewall-*"
],
"mappings": {
"_default_": {
"properties": {
"@timestamp": {
"type": "date"
},
"dest_ip": {
"type": "ip"
},
"dst_ip": {
"type": "ip"
},
"src_ip": {
"type": "ip"
},
"zsrc_ip": {
"type": "ip"
},
"@version": {
"type": "keyword"
}
}
}
},
"aliases": {}
}
It's inserted into Elastic no worries. And I index some test data into an index where the fieldname does not exist yet.
I then search for the data, I see the new field name is not known, and Kibana asks me to refresh field list, I refresh the field list, at which point kibana reports the field name eg. 'dst_ip' as a string.
What am I doing wrong? I want kibana to recognise this as type: 'ip'
Sorry but I'm not very aware of the version 6.x and default templating... 
I got the template working.
This was the template I used:
PUT /_template/mylogstash
{
"order": 1000,
"index_patterns": [
"logstash-*",
"docker-*",
"syslog-*",
"ironport-*",
"firewall-*"
],
"mappings": {
"doc": {
"dynamic": "true",
"properties": {
"host": {
"type": "keyword"
},
"program": {
"type": "keyword"
},
"logsource": {
"type": "keyword"
},
"bytes": {
"type": "integer"
},
"bytes_in": {
"type": "integer"
},
"bytes_out": {
"type": "integer"
},
"dest_port": {
"type": "integer"
},
"src_port": {
"type": "integer"
},
"dest_ip": {
"type": "ip"
},
"src_ip": {
"type": "ip"
},
"geoip": {
"properties": {
"ip": {
"type": "ip"
},
"location": {
"type": "geo_point"
},
"latitude": {
"type": "half_float"
},
"longitude": {
"type": "half_float"
}
}
}
}
}
}
}
Not sure if i'm going to re-index my data, as the indexes roll over daily. Just the 'conflict' in Kibana makes me sad.
I actually had to fix some things regarding 'host.keyword' disappearing and not 'aggreagatable' which i had to fix with an another template update, documented here:
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.