Having trouble with field mappings types

ELK stack 7.11

I'm having some trouble getting my field mappings types. This is a snippet of my logstash configuration which I've added to include some new fields into an index.

if [log_message] =~ /TP status:/ { grok { break_on_match => true match => ["log_message", "TP status: CPU-time=%{BASE10NUM:node_cputime:float}, threads=%{BASE10NUM:node_curr_threads:int} \(max=%{BASE10NUM:node_max_threads:int}, idle=%{BASE10NUM:node_idle_threads:int}, queueLength=%{BASE10NUM:node_queue_length:int}, queueAgeMs=%{BASE10NUM:node_queue_age:float}\), CPU load=%{BASE10NUM:node_cpu_load:float}" ] } }

Yet all the the fields I've mapped come out as strings. They all have the correct values, but as strings. Is there a better way of doing this?

Also, somethings changed in version 7.11. Whenever I introduce new fields into my index I would go and refresh the fields list from Index Management. That option is missing now. What's the new method.

I would set the field types in the elastic index mapping and not worry about doing that in Logstash. I don't believe what you set the field types in Logstash has anything to do with how they are stored in Elastic index.

They certainly did in the past. I'm not sure if anythings changed in 7.11, but I believe I was using a previous 7 series version before and field types came from logstash. I have various fields in my index which are numeric types that have been set by logstash alone.

Can field types be set using the Kibana interface? Or do you have to make an API call to elastic to do that?

API call.

They may have aligned, but it was never a guarantee. The only guarantee is to define a mapping.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.