Hi !
We use 2 filebeat modules (cisco + checkpoint) running on the same server, so it's basically a syslog server. I configured filebeat to use a custom index. For some reason, some field type are mapped incorrectly, especially source.bytes and destination.bytes. Here's the output of same field but on different day:
GET /myindex-2021.03.13-000005/_mapping/field/destination.bytes
{
"myindex-2021.03.13-000005" : {
"mappings" : {
"destination.bytes" : {
"full_name" : "destination.bytes",
"mapping" : {
"bytes" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
}
}
}
}
On another day:
GET /myindex-2021.03.14-000006/_mapping/field/destination.bytes
{
"myindex-2021.03.14-000006" : {
"mappings" : {
"destination.bytes" : {
"full_name" : "destination.bytes",
"mapping" : {
"bytes" : {
"type" : "long"
}
}
}
}
}
}
Elasticsearch, Filebeat and Kibana runs on 7.11.2. I already tried to force mapping on the index by doing:
PUT %3Cmyindex-%7Bnow%2Fd%7D-000001%3E
{
"aliases": {
"myalias": {
"is_write_index": true
}
},
"mappings": {
"properties": {
"destination.bytes": {"type": "integer"}
}
}
}
It worked for the first created index, but after that, the field started again to change.
One other thing is, our dashboards are still showing the correct value of aggregate functions (ex: source.bytes + destination.bytes), but when we try to edit, no field name is shown.
Do you know what can cause this issue ?
Thank you in advance !