Field marked as number, but index is having it as string

rmalired · August 25, 2016, 3:58pm

Hi, I running into an issue where my grok expression stays a particular field as NUMBER, but when the data is loaded into elastic search it is getting marked as string.

below is the configuration

grok Pattern
WEBLOGIC_ACCESS_TS %{YEAR}-%{MONTHNUM}-%{MONTHDAY}\t%{TIME}
WEBLOGIC_EXTENDED_ACCESS %{WEBLOGIC_ACCESS_TS:accesstimestamp}\t%{NUMBER:responsetime}\t%{WORD:verb}\t%{GREEDYDATA:request}\t%{NUMBER:httpstatus}

then my logstash filter config is as below

grok{
patterns_dir => "C:\Elastic\logstash\patterns"
match => {"message" => "%{WEBLOGIC_EXTENDED_ACCESS}"}
}

        mutate{
            gsub =>["accesstimestamp", "\t", " "]

        }


        date{
            match => ["accesstimestamp", "YYYY-MM-dd HH:mm:ss"]
            target => "@timestamp"
         }

my index in kibana shows as string

Am I missing something ?

magnusbaeck · August 25, 2016, 4:57pm

NUMBER is just a shortcut for a regular expression that matches numbers. The captured field will still be a string. To convert the captured string into an integer use %{NUMBER:httpstatus:int}. See the grok filter documentation.

Field mappings are immutable so you'll have to reindex (or wait until the next day if you have daily indexes) to actually get an integer field.

rmalired · August 26, 2016, 3:55am

that helps

rakesh malireddy

Topic		Replies	Views
GROK NUMBER field type creating field as string and not number Logstash	2	9789	September 27, 2017
Logstash grok plugin is considering number as text Logstash	6	315	July 11, 2019
Fields not being categorized properly Kibana	8	627	March 2, 2018
Kibana show field as string in "Table" view and as number in "JSON" view Kibana	6	1137	May 31, 2020
Field NUMBER save as String Logstash	1	335	January 1, 2019

Field marked as number, but index is having it as string

Related topics