How to change field from text, float to only float?

Elastic Stack Elasticsearch
1

Hello there,

We have an issue on one of our customer sites where a field is mapped as text, float rather than just float. I believe this is causing a grok timeout issue.

The ELK stack is receiving logs from an application and creates a new index each day.

Our in-house setup (same ELK stack version) detects and maps this field as just float and does not have this grok timeout issue. Please see screenshots below

Customer site

},
        "spend_time": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }

In-house test VM

 },
        "spend_time": {
          "type": "float"
        },

Question, am I able to override this by creating a new field in the index template gui as below?

image
image1299×171 18.1 KB

Thanks in advance

2

Yes. If you specify in the index mapping or in the index template what must be the data type for this field, then Elasticsearch will not try to guess anymore.

3

Great,

So this would mean that going forward every document index the field as float,

If I reindex this would also apply the field value from the index template to the existing indexes ?

4

Yes. As long it creates a new index with the new field type, that will be ok.

5

will adding a field to the mapping section of the index template affect the other fields that are being dynamically mapped or the will be index as before?

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.