Is it necessary to change the field data type?

(Vikas Gopal) #1

Hi Experts,

I have a very basic question , I am using ELK stack to show syslog data in Kibana. My plan is not to mutate or modified any field at the logstash level. Here I have a question, can i treat ES as a traditional databases like SQL where data types plays an important role or is it necessary to change the data type of the field ? I have seen if I did not modify data type in LS , ES will pick all the fields as string .


(Mark Walkom) #2

Depends on your use case, but I'd certainly define things.

(Vikas Gopal) #3

Thanks Mark ,

My Use case would be like , maximum firewall byte in or byte out , top 10 destination IP ,Top destination Ports , Top source port etc

(Mark Walkom) #4

Then yes, you should map those fields.

(system) #5