Https://discuss.elastic.co/t/grok-will-not-change-field-type-to-int-or-ip/63756/4

Continuing the discussion from Grok will not change field type to Int or IP:

I'm using elasticsearch-6.4.2 along with logstash-6.4.2
In the /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.2.1-java/lib/logstash/outputs/elasticsearch path I see this files:

-rw-r--r--. 1 logstash logstash  8766 Sep 26 18:05 common_configs.rb
-rw-r--r--. 1 logstash logstash 13673 Sep 26 18:05 common.rb
-rw-r--r--. 1 logstash logstash  2993 Oct 22 18:10 elasticsearch-template-es2x.json
-rw-r--r--. 1 logstash logstash  1256 Oct 22 18:09 elasticsearch-template-es5x.json
-rw-r--r--. 1 logstash logstash  1158 Oct 22 16:24 elasticsearch-template-es6x.json
-rw-r--r--. 1 logstash logstash  1174 Oct 22 18:09 elasticsearch-template-es7x.json
drwxr-xr-x. 2 logstash logstash  4096 Oct 17 13:28 http_client
-rw-r--r--. 1 logstash logstash  5780 Sep 26 18:05 http_client_builder.rb
-rw-r--r--. 1 logstash logstash 13730 Sep 26 18:05 http_client.rb
-rw-r--r--. 1 logstash logstash  1617 Sep 26 18:05 template_manager.rb

Having changed all 4 elasticsearch-template-es*x.json files with adding "my_field": { "type": "ip"} and then deleting old inedexes and restart logstash, still the type of my_field in new indexes is text not ip!! What are these -es*x for? and where I should add my changes?

Thanks in advanced!

What is the name of your index? The standard index templates that come with Logstash are set only to apply to indices with a name matching the pattern logstash-*.

My index name is something different from logstash-*. I've also tried to add a template to elasticsearch as follows ...

PUT _template/template_1
{
  "index_patterns": ["my_index-*"],
  "mappings": {
     "properties": {
        "my_field": {
          "type": "ip"
        }
     }
  }
}

but in presence of this template no doc is indexed!
I've also tried another thing ..., after deleting the above template, i.e. DELETE _template/template_1, I copied the mapping of the my_index-2018-10-23 ...

{
  "mapping": {
    "doc": {
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "@version": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "my_field": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        }, ...

and changed type of my_field to ip and then PUT it into elasticsearch with "index_patterns": ["my_index-*"]. Using this template docs were indexed but the type of my_field was still text not ip!
I'm quite confused, what is wrong about my work?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.