How to use logstash to change the field type of winlogbeat data

godfather7 · November 30, 2018, 12:03pm

Hi,
I want to change the field type from string to number of event_data collected through winlogbeat.
I have tried mutate way, but it's not working. Please tell me how to do it and how to reindex the data as well
My config file is
input {
beats {
port => 5044
}
}

filter {
mutate {
convert => {
"event_data.BootTime" => "integer"
}
}
}

output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}

Eniqmatic · November 30, 2018, 3:27pm

You won't be able to change the type if the index has already been created with one type. You need to re-index as you say:

https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html

godfather7 · December 3, 2018, 9:48am

while creating new index, i am getting this error "Gateway Timeout "

Screenshot%20(49)

system · December 31, 2018, 9:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to change field type of filebeat modules? Beats filebeat	5	1300	May 11, 2021
Mutate WinlogBeat Logstash	4	1069	August 11, 2017
Split "event_data" to only show the original field Beats winlogbeat	3	1209	April 13, 2017
Parsing winlogbeat message field Beats winlogbeat	3	1982	July 20, 2019
Winlogbeat - Event Tagging and Overriding 'type' in Logstash Beats winlogbeat	3	3359	April 12, 2016

How to use logstash to change the field type of winlogbeat data

Related topics