Hi -
While working on enabling the Elasticsearch module, specifically the slowlog fileset, I ran into a challenge when I went to use the data in the index to build visualizations. Some of the fields that get pulled out of the slowlog are being set as "keyword" type, when they would obviously benefit from being set to "long" or some other numerical data type.
The field definitions are here: https://github.com/elastic/beats/blob/master/filebeat/module/elasticsearch/slowlog/_meta/fields.yml
And, a few of the fields that would seem to be better as an actual number are:
elasticsearch.slowlog.took_millis (renamed to event.duration in 7.x)
elasticsearch.slowlog.total_hits
elasticsearch.slowlog.total_shards
And semi-related, the slowlog emits the "took" value in what appears to be a human-readable format (with "s" for seconds, "m" for minutes, etc).
Is there any reason why these fields are set as "keyword"? What is the process to request that these be switched over? .. or, is there something I can do to override this on our end?