I have an index with an auto-generated mapping (see attachment).
The field "log4j_root_cause" contains a Java stacktrace that might be quite lengthy.
After importing data, I see that there are many documents that have a full stacktrace in log4j_root_cause.
However, for many of those, the field log4j_root_cause.keyword is empty, even though field log4j_root_cause is not.
I assume that has to do with the content of log4j_root_cause being longer than 256 (the value of ignore_above).
How can I change this?
I tried this:
curl -XPUT 'localhost:9200/log4j2-generic/_mapping/javastacktrace' -H 'Content-Type: application/json' -d'
{
"properties": {
"log4j_root_cause": {
"ignore_above": 20000,
"type": "keyword",
"index":"true"
}
}
}
'
but it gave me
{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"mapper [log4j_root_cause] cannot be changed from type [text] to [keyword]"}],"type":"illegal_argument_exception","reason":"mapper [log4j_root_cause] cannot be changed from type [text] to [keyword]"},"status":400}
I also tried to download the entire index (which resulted in the file I linked to above), changing the limit in that file, and then dropping and recreating the index with this:
curl -XPUT 'localhost:9200/log4j2-generic' -H 'Content-Type: application/json' -d @<my file>
but that resulted in
{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"unknown setting [index.log4j2-generic.mappings.doc.properties.@timestamp.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"}],"type":"illegal_argument_exception","reason":"unknown setting [index.log4j2-generic.mappings.doc.properties.@timestamp.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"},"status":400}
Ultimately, I just want to be able to do visualizations based on log4j_root_cause regardless of how long that field is. How do I do that? The visualization editor only lets me select the .keyword versions of the field, that's why I figured I need to change the length limit.
What is the right way to do this?
Thank you!