Https://discuss.elastic.co/t/grok-will-not-change-field-type-to-int-or-ip/63756/4

Elastic Stack Logstash
1

Continuing the discussion from Grok will not change field type to Int or IP:

I'm using elasticsearch-6.4.2 along with logstash-6.4.2
In the /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.2.1-java/lib/logstash/outputs/elasticsearch path I see this files:

-rw-r--r--. 1 logstash logstash  8766 Sep 26 18:05 common_configs.rb
-rw-r--r--. 1 logstash logstash 13673 Sep 26 18:05 common.rb
-rw-r--r--. 1 logstash logstash  2993 Oct 22 18:10 elasticsearch-template-es2x.json
-rw-r--r--. 1 logstash logstash  1256 Oct 22 18:09 elasticsearch-template-es5x.json
-rw-r--r--. 1 logstash logstash  1158 Oct 22 16:24 elasticsearch-template-es6x.json
-rw-r--r--. 1 logstash logstash  1174 Oct 22 18:09 elasticsearch-template-es7x.json
drwxr-xr-x. 2 logstash logstash  4096 Oct 17 13:28 http_client
-rw-r--r--. 1 logstash logstash  5780 Sep 26 18:05 http_client_builder.rb
-rw-r--r--. 1 logstash logstash 13730 Sep 26 18:05 http_client.rb
-rw-r--r--. 1 logstash logstash  1617 Sep 26 18:05 template_manager.rb

Having changed all 4 elasticsearch-template-es*x.json files with adding "my_field": { "type": "ip"} and then deleting old inedexes and restart logstash, still the type of my_field in new indexes is text not ip!! What are these -es*x for? and where I should add my changes?

Thanks in advanced!

2

What is the name of your index? The standard index templates that come with Logstash are set only to apply to indices with a name matching the pattern logstash-*.

3

My index name is something different from logstash-*. I've also tried to add a template to elasticsearch as follows ...

PUT _template/template_1
{
  "index_patterns": ["my_index-*"],
  "mappings": {
     "properties": {
        "my_field": {
          "type": "ip"
        }
     }
  }
}

but in presence of this template no doc is indexed!
I've also tried another thing ..., after deleting the above template, i.e. DELETE _template/template_1, I copied the mapping of the my_index-2018-10-23 ...

{
  "mapping": {
    "doc": {
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "@version": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "my_field": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        }, ...

and changed type of my_field to ip and then PUT it into elasticsearch with "index_patterns": ["my_index-*"]. Using this template docs were indexed but the type of my_field was still text not ip!
I'm quite confused, what is wrong about my work?

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.