Difference between type and _type

Elastic Stack Elasticsearch
1

Hello,

I would like to know what's the difference between type and _type and how to define it?

Thanks.

2

_type is an internal field which is set to the value of my_type in the following example:

PUT index/my_type/1
{
  "foo": "bar"
}

I don't know what you refer as type. Any link, context?

3

OK! just because I have to different _type for the same kind of data. And, I don't really understand why...

Here, "_type": "log":

{
  "_index": "carxx-2017.07.02",
  "_type": "log",
  "_id": "AV2761sGfp2Rn6-j1rT1",
  "_version": 1,
  "_score": null,
  "_source": {
    "fulltx": "XM25",
    "offset": 31576132,
    "nndossier": "07031005239",
    "heurereponse": "213137",
    "input_type": "log",
    "source": "/opt/carxx/carxx_test1",
    "codetx": "25",
    "type": "log",
    "tags": [
      "beats_input_codec_plain_applied"
    ],
    "ins": "05000",
    "iin": "0136",
    "typetx": "XM",
    "carxxtimestamp": "170702213137",
    "@timestamp": "2017-07-02T19:31:37.000Z",
    "iout": "2724",
    "@version": "1",
    "beat": {
      "hostname": "elasticpoc",
      "name": "elasticpoc",
      "version": "5.5.1"
    },
    "host": "elasticpoc",
    "id": "01158284000",
    "nnutilisateur": "000000000000",
    "fields": {
      "env": "staging",
      "type": "carxx"
    }
  },
  "fields": {
    "@timestamp": [
      1499023897000
    ]
  },
  "sort": [
    1499023897000
  ]
}

and here "_type": "doc":

{
  "_index": "filebeat-2017.08.07",
  "_type": "doc",
  "_id": "AV273s80fp2Rn6-j1p3B",
  "_version": 1,
  "_score": null,
  "_source": {
    "@timestamp": "2017-08-07T08:41:13.831Z",
    "beat": {
      "hostname": "elasticpoc",
      "name": "elasticpoc",
      "version": "5.5.1"
    },
    "fields": {
      "env": "staging",
      "type": "carxx"
    },
    "input_type": "log",
    "message": "01157774000170702213023%XM%00000000000070331015168480913213023050000080RRN0002W900500000000C0000000000000500024464063100100 33101516848 300 R00                                                         ",
    "offset": 31462457,
    "source": "/opt/carxx/carxx_test1",
    "type": "log"
  },
  "fields": {
    "@timestamp": [
      1502095273831
    ]
  },
  "sort": [
    1502095273831
  ]
}
4

How could I know? I have no idea of what you are doing.

It sounds like you are injecting 2 kind of data:

  • one coming from your app or may be from logstash? carxx-2017.07.02
  • another source coming from filebeat: filebeat-2017.08.07

But, is the _type really a problem here?

I'd encourage you always using doc as the type name as type will be removed in the future.
From 6.0 it defaults to doc.

5

Yes you are right. The problem was that both elasticsearch and logstash were enable in my filebeat configuration..

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.