Hi everyone,
I'm using Kibana 7.13.1. I've established a Logstash instance on some web hosting servers that I connect to an elasticsearch data stream to store IIS (Internet Information Services) logs in a daily rolling index.
The setup works, but I've run into a problem that I noticed I cannot aggregate all fields in my dashboards, which I would like to visualize patterns in my logs with. I realized that it is because text fields cannot be aggregated.
That's alright, because I don't mind using a keyword type. So, I changed the type of the fields from text to keyword in my IIS component template. The index template simply references the component template and nothing else, so I'll just include my mapping for the component.
I had assumed that changing the template field type would automatically carry over to the index pattern that uses the template. This is however not the case.
I've looked into refreshing this index pattern to bring these underlying type changes into the index pattern so that I can aggregate over the keyword fields, but with no success. Can anyone offer advice / insight into what is going on here?
I hope this isn't the case, but do I have to pause document collection via Logstash on all my servers, delete the index pattern, and restart my services, in order to refresh this? Worse would be if I have to delete all my previous indices created by this data stream in order to get these field types to refresh, but that seems drastic. I feel like this can be done in some way.
If anyone has experience in this area, I would really appreciate it!