I am using a dis-logger that accepts the raw logs, and transforms them into a more useful form. For a given field, I might first transform it from int to string in the dis-logger python file, say ForceID might go from [1,2,3] to ['Good', 'Bad', 'Neutral']. However, the data will not show up in the index pattern. I've gone to the index pattern and tried changing ForceID from int to string, but That option is not possible (the button is not working).
So a given index will see the original data and set the fields. Then if I modify the incoming logs, the index fails. I've tried recreating the index, but that is problematic. Since there is old data before modifying the types, the index is unalterable.
If you are not using any template, elasticsearch will map a field in the index on the first time it received any data for that field, so if the first time it received an data that it detected as an intenger, it may map the field as a numerica field and if you try to send this field with some string value, elasticsearch will reject it.
For example, if your field ForceID was mapped as a numeric field by elasticsearch, you won't be able to send any string value for this field, e.g. ForceID with the value Good will be rejected.
If the field ForceID can have string values as well as integer values, you will need to map this field as keyword for example, so it will accept both values, but the integer values will be treated as strings.
You can't change the mapping on an existing indice you will need to create another indice with the correct mapping and if you want to change it for the already indexed data you will need to reindex it.
To read more about explicit mapping, you can check in the documentation.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.