Elasticsearch changed the field type automacatilly

joao · December 19, 2017, 11:42am

Hello,

Today I saw a strange behavior in Elasticsearch.
Yesterday I did this configuration:

This is my log:
LIBIA|42383595187|IPASGO|10.240.0.108|2017-12-18|11:23:30|LF

I use this Grok:
%{WORD:hostname}|%{WORD:username}|%{WORD:domain}|%{IP:clientip}|%{DATA:DateTime}|%{DATA:HourTime}|%{WORD:action}

But, today Elasticsearch changed the index's field type to "date", and now I have this message:

"Field Type Conflict: The type of this field changes across indices. It is unavailable for many analysis functions. The indices per type are as follows: "
date logstash-2017.12.19
text logstash-2017.12.18

Is it possible Elasticsearch change de index's field type automatically?
What I need to do in this case?

Thank you very much.

dadoonet · December 19, 2017, 11:58am

If you don't provide any mapping then elasticsearch tries to automatically guess from the content.

If you sent one document as:

{
  "foo": "bar"
}

One day in index named logstash-2017.12.18 and then:

{
  "foo": "2017-12-18"
}

in another index, the second one will be mapped as a date.

You need to provide mapping. You can use index template to automate that.

joao · December 19, 2017, 7:02pm

Thank you.
I will see about it.

system · January 16, 2018, 7:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.