Interger field showing as string

sreejiths · February 22, 2018, 6:14am

GROK

grok {

     match => [
        # IOS
        "message", "%{IP:host_nagios}: Nagios-Log device_id=%{WORD:hostname} rtt=%{NUMBER:RTT} avgSD=%{NUMBER:SDLATENCY} avgDS=%

{NUMBER:DSLATENCY} syslog_sev_level=%{INT:syslog_sev_level} syslog_severity=%{WORD:syslog_severity} hostgroup=%{WORD:hostgroup} %{GR
EEDYDATA:log_message}"
]
add_tag => [ "Nagios" ]
}
}

if "Nagios" in [tags]
{

mutate { convert => { "syslog_sev_level" => "integer" } }
mutate { convert => { "RTT" => "float" } }
mutate { convert => { "SDLATENCY" => "float" } }
mutate { convert => { "DSLATENCY" => "float" } }

ISSUE:
The field RTT/SDLATENCY/ DSLATENCY is showing as string in KIBANA .Due to this i am not able to use this parameter to created visulization .. I refeshed/recreated index in Kibana , restarted logstash mutiple times ..Any advice on how to fix ???

magnusbaeck · February 22, 2018, 6:54am

What does the JSON document look like, are the fields actually numbers there?

sreejiths · February 22, 2018, 6:58am

Yes

{
"_index": "logstash-2018.02.22",
"_type": "nagios",
"_id": "AWG8R23JE3k31ptJ2riI",
"_score": null,
"_source": {
"syslog_sev_level": 6,
"host_nagios": "XXXXX",
"SDLATENCY": 32.23,
"message": "XXXXX: Nagios-Log device_id=XXXXX rtt=61.92 avgSD=32.23 avgDS=29.69 syslog_sev_level=6 syslog_severity=information hostgroup=WAN service_description=IPSLA-Latency_To_XXXX_Business time="Thu Feb 22 14:50:53 SGT 2018" msg="OK: RTT=61.92ms avgSD=32.23ms avgDS=29.69ms IP SLA 86001041 # To_XXXX1_Business Jitter probe to 202.163.53.182 "",
"type": "nagios",
"syslog_severity": "information",
"tags": [
"Nagios"
],
"hostname": "XXXXXX",
"@timestamp": "2018-02-22T06:52:59.651Z",
"RTT": 61.92,
"port": 43587,
"@version": "1",
"host": "10.67.21.164",
"hostgroup": "WAN",
"log_message": " service_description=IPSLA-Latency_To_XXXXX_Business time="Thu Feb 22 14:50:53 SGT 2018" msg="OK: RTT=61.92ms avgSD=32.23ms avgDS=29.69ms IP SLA 86001041 # To_XXXXX_Business Jitter probe toXXXXX "",
"DSLATENCY": 29.69
},
"fields": {
"@timestamp": [
1519282379651
]
},
"sort": [
1519282379651
]
}

magnusbaeck · February 22, 2018, 7:09am

I refeshed/recreated index in Kibana

Do you mean you deleted the index in ES or just recreated the index pattern in Kibana?

sreejiths · February 22, 2018, 7:10am

I meant recreated the index pattern in Kibana..

sreejiths · February 22, 2018, 7:14am

Running of ELK V5.2

magnusbaeck · February 22, 2018, 7:28am

I meant recreated the index pattern in Kibana..

That doesn't change anything. To change the mapping of an existing field you have to recreate the index itself.

sreejiths · February 22, 2018, 7:36am

You are right ..Thanks for help ..Fixed the issue ..

system · March 22, 2018, 7:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.