How to change field from text, float to only float?

randomnamegenerator · November 13, 2023, 7:13am

Hello there,

We have an issue on one of our customer sites where a field is mapped as text, float rather than just float. I believe this is causing a grok timeout issue.

The ELK stack is receiving logs from an application and creates a new index each day.

Our in-house setup (same ELK stack version) detects and maps this field as just float and does not have this grok timeout issue. Please see screenshots below

Customer site

},
        "spend_time": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }

In-house test VM

 },
        "spend_time": {
          "type": "float"
        },

Question, am I able to override this by creating a new field in the index template gui as below?

Thanks in advance

dadoonet · November 13, 2023, 9:20am

Yes. If you specify in the index mapping or in the index template what must be the data type for this field, then Elasticsearch will not try to guess anymore.

randomnamegenerator · November 13, 2023, 9:25am

Great,

So this would mean that going forward every document index the field as float,

If I reindex this would also apply the field value from the index template to the existing indexes ?

dadoonet · November 13, 2023, 10:01am

Yes. As long it creates a new index with the new field type, that will be ok.

randomnamegenerator · November 15, 2023, 8:52am

will adding a field to the mapping section of the index template affect the other fields that are being dynamically mapped or the will be index as before?

system · December 13, 2023, 8:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.