Field marked as number, but index is having it as string

rmalired · August 25, 2016, 3:58pm

Hi, I running into an issue where my grok expression stays a particular field as NUMBER, but when the data is loaded into elastic search it is getting marked as string.

below is the configuration

grok Pattern
WEBLOGIC_ACCESS_TS %{YEAR}-%{MONTHNUM}-%{MONTHDAY}\t%{TIME}
WEBLOGIC_EXTENDED_ACCESS %{WEBLOGIC_ACCESS_TS:accesstimestamp}\t%{NUMBER:responsetime}\t%{WORD:verb}\t%{GREEDYDATA:request}\t%{NUMBER:httpstatus}

then my logstash filter config is as below

grok{
patterns_dir => "C:\Elastic\logstash\patterns"
match => {"message" => "%{WEBLOGIC_EXTENDED_ACCESS}"}
}

        mutate{
            gsub =>["accesstimestamp", "\t", " "]

        }


        date{
            match => ["accesstimestamp", "YYYY-MM-dd HH:mm:ss"]
            target => "@timestamp"
         }

my index in kibana shows as string

Am I missing something ?

magnusbaeck · August 25, 2016, 4:57pm

NUMBER is just a shortcut for a regular expression that matches numbers. The captured field will still be a string. To convert the captured string into an integer use %{NUMBER:httpstatus:int}. See the grok filter documentation.

Field mappings are immutable so you'll have to reindex (or wait until the next day if you have daily indexes) to actually get an integer field.

rmalired · August 26, 2016, 3:55am

that helps

rakesh malireddy