Hello, we prefer structured logs as it helps us perform filtered searches in ES, however there are oftentimes conflicts for certain fields, for example ts, timestamp or time depending on the app may be of type date or of type float.
I would still like to have all these logs live together in the same indices and play nice. What are the options? I presume some sort of log processor prior to arriving at elasticsearch should standardize any time values, are there any examples of this?
You need to create _mapping for your index so they will all be stored into the same datatype. You cannot rely on the default type as epoch will be stored as long rather than date, etc.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.