GROK NUMBER field type creating field as string and not number

cchooks2 · August 30, 2017, 6:49pm

I have a created a GROK pattern to parse out a "number" field on an access log, but when i look at the data in the kibana management console it is showing these fields as a string.

Any thoughts on this?

GROK pattern:

%{IP:client_ip}%{SPACE}%{DATA:client_port}%{SPACE}%{DATA:ident}%{SPACE}[%{EVENT_TS:event_ts}]%{SPACE}"%{WORD:method}%{SPACE}%{URIPATHPARAM:uri_path}%{SPACE}%{GREEDYDATA:version}"%{SPACE}%{NUMBER:status}%{SPACE}%{DATA:bytes}%{SPACE}%{NUMBER:request_time_in_secs}%{SPACE}%{NUMBER:keep_alives}%{SPACE}"%{GREEDYDATA:referer}"%{SPACE}"%{GREEDYDATA:user_agent}"%{SPACE}"%{GREEDYDATA:contenttype}"%{SPACE}%{GREEDYDATA:jsession_id}%{SPACE}%{IP:x_clientip}%{SPACE}%{NUMBER:response_time_in_secs}

Thanks.

magnusbaeck · August 30, 2017, 7:51pm

This is expected. To get a number field, see this paragraph in the grok filter docs:

Optionally you can add a data type conversion to your grok pattern. By default all semantics are saved as strings. If you wish to convert a semantic’s data type, for example change a string to an integer then suffix it with the target data type. For example %{NUMBER:num:int} which converts the num semantic from a string to an integer. Currently the only supported conversions are int and float.

system · September 27, 2017, 7:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to get Number type by using Grok Logstash	4	9555	October 25, 2018
Field marked as number, but index is having it as string Logstash	3	1123	July 6, 2017
Writing GROK for tomcat logs Logstash	2	377	April 13, 2018
Grok Parsing numeric field as "NUMBER:field_name:float" , still Kibana showing string field Logstash	1	369	March 23, 2022
Kibana show field as string in "Table" view and as number in "JSON" view Kibana	6	1136	May 31, 2020

GROK NUMBER field type creating field as string and not number

Related topics