How to get rid of new field?

sunilmchaudhari · April 15, 2016, 11:30am

Hi,
I have created eventLogTime field in logstash indexer and assign timestamp form the log. I have provided list of timestamp while doing this. Now the problem is when we are adding applications in centralized logging, some systems have timestamps which are not in the list provided in indexer.
Then it gives error (grokeparsefailure). Due to this I have decided to remove this filter, as its of less importance.

After commenting out this filer, I can still see eventLogTime field for new logs on Kibana?
I hope it should not be there for new logs.

br,
Sunil

warkolm · April 16, 2016, 8:31pm

Use mutate + remove_field - https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html#plugins-filters-mutate-remove_field

sunilmchaudhari · April 19, 2016, 6:38am

Hi,
But I think this will work for current documents which are getting stored.
It saying evenLogTIme is conflicting across indexes. How to solve this? How to get those indexes in which eventLogTime field has conflicting data type?

br,
Sunil

warkolm · April 19, 2016, 7:21am

No, you need to reindex.

sunilmchaudhari · April 19, 2016, 7:43am

Hi,

Re-indexing after remove field?
Re-indexing for new as well as old indexes? or only old indexes?
Any guideline/documentation?

br,
Sunil

warkolm · April 19, 2016, 8:11am

If there are old documents that need changing, they need to be reindexed.
New ones just need the new mutate applied.