How to change an index mapping in Elastic search

Elastic Stack Elasticsearch
1

Hello,
I am ingesting the following document into Elasticsearch via Logstash:

[xxxx@yyyy ~]# curl -k http://my_es_hostname:9200/cdp-zos-syslog-console-plex75-20231005/_search?pretty
{
  "took" : 564,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 309,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "cdp-zos-syslog-console-plex75-20231005",
        "_type" : "_doc",
        "_id" : "Yu9p_ooBSa48C3jEeosr",
        "_score" : 1.0,
        "_source" : {
          "ROUTECODE" : "00000000000000000000000000000000",
          "FLAGS" : "80",
          "sourceType" : "zOS-SYSLOG-Console",
          "seq" : {
            "c" : "0",
            "w" : "0"
          },
          "@timestamp" : "2023-10-05T05:57:15.840Z",
          "TIMESTAMP" : "23278 01.57.15.840 -0400",
          "path" : "SYSLOG",
          "ASID" : "0012",
          "systemName" : "TVT5076",
          "message" : "NC,0012,23278 01.57.15.840 -0400,TVT5076 ,TSU01399,MARINUC ,00000000000000000000000000000000,00000290,MARINUC ,80,\" D A,L\"\n",
          "rcd" : "NC",
          "sourceName" : "TVT5076-SYSLOG",
          "inputsequence" : "20231005055718722:000000",
          "DESCRIPTOR" : "00000290",
          "timeZone" : "-0400",
          "sysplexName" : "PLEX75",
          "JOBNUM" : "TSU01399",
          "CONSOLE" : "MARINUC ",
          "host" : "TVT5076.svl.ibm.com",
          "TEXT" : " D A,L",
          "SMFID" : "TVT5076 ",
          "@version" : "1",
          "port" : 1062,
          "JOBNAME" : "MARINUC "
        }
      },

The goal is to change the ASID fied (that is also part of the index ) from the type text into integer .
Can you kindly provide te operational steps to do this?
My ELK and specifically Elasicsearch background is not strong ...
Thanks in advance for any help
Francesco

2

Hi @Francesco66,

Welcome back! To change the field type you need to:

  1. Create a new index with an updated mapping to include your type
  2. Reindex the documents to the new index

Looking at your sample document I see that field ASID has preceding zeros. Do you really want to change the field type from string to integer? Leading zeros are not allowed with integer types and you will receive an error on ingest.

3 
Hello Carly,
thanks for your insights here.
I have chosen ASID just for testing purposes but could change any other field.
Regarding your suggestions I had found the following:
https://linuxhint.com/change-field-type-elasticsearch/
but my main problem is to translate the suggested steps into operational.
For example , when you say that I need to create a new indx with the updates map:
-Can I copy it from the one I am using?
-The url suggests this command:
PUT /change-me
{
"mappings": {
"properties": {
"id": {
"type": "integer"
      },
"username": {
"type": "text"
  }
    }
  }
}
Where can I run it? Is it possible to run it as a curl command? Can I run it via GUI?
This is one of he commands I am familiar with when interacting with ES:
[xxxx@yyyy ~]# curl -k http://xxxx.xxxx.xxxx.xxxx:9200/cdp-zos-syslog-console-plex75-20231005/_search?pretty
May I embed the commands into the above curl?
Thanks and bye
4

Hello @Francesco66

  1. Re-indexing can be done from here: How to Increase Primary Shard Count in Elasticsearch
    check method 2
5

Hi @Francesco66,

Thanks for confirming! So the command you've provided is the command to create a new index. If you don't specify a mapping for a field when creating an index, the field type will be determined dynamically by the value of the first pushed document containing that field.

If you want to see the current mapping of your index use the below command:

GET my-index/_mapping

You can either run the commands as curl commands, or in the Dev Tools Console located in Kibana.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.