Field marked as number, but index is having it as string

rmalired · August 25, 2016, 3:58pm

Hi, I running into an issue where my grok expression stays a particular field as NUMBER, but when the data is loaded into elastic search it is getting marked as string.

below is the configuration

grok Pattern
WEBLOGIC_ACCESS_TS %{YEAR}-%{MONTHNUM}-%{MONTHDAY}\t%{TIME}
WEBLOGIC_EXTENDED_ACCESS %{WEBLOGIC_ACCESS_TS:accesstimestamp}\t%{NUMBER:responsetime}\t%{WORD:verb}\t%{GREEDYDATA:request}\t%{NUMBER:httpstatus}

then my logstash filter config is as below

grok{
patterns_dir => "C:\Elastic\logstash\patterns"
match => {"message" => "%{WEBLOGIC_EXTENDED_ACCESS}"}
}

        mutate{
            gsub =>["accesstimestamp", "\t", " "]

        }


        date{
            match => ["accesstimestamp", "YYYY-MM-dd HH:mm:ss"]
            target => "@timestamp"
         }

my index in kibana shows as string

Am I missing something ?

magnusbaeck · August 25, 2016, 4:57pm

NUMBER is just a shortcut for a regular expression that matches numbers. The captured field will still be a string. To convert the captured string into an integer use %{NUMBER:httpstatus:int}. See the grok filter documentation.

Field mappings are immutable so you'll have to reindex (or wait until the next day if you have daily indexes) to actually get an integer field.

rmalired · August 26, 2016, 3:55am

that helps

rakesh malireddy

Topic		Replies	Views
Fields not being categorized properly Kibana	8	627	March 2, 2018
Kibana show field as string in "Table" view and as number in "JSON" view Kibana	6	1133	May 31, 2020
Field NUMBER save as String Logstash	1	335	January 1, 2019
How to get Number type by using Grok Logstash	4	9515	October 25, 2018
How to change the datatype of field in elastic search Logstash	9	10508	July 6, 2017

Field marked as number, but index is having it as string

Related Topics