Hi,
I am trying to view the logs which have higher time-taken parameter.
In many of the logs, I can see that the time taken parameter is logged in as 8.000, 15.500, 15.753 etc
If I try to search with timetaken > 8.000
Ideally, it should have displayed all results more than 8 but instead it displays only one result as shown below.
I had changed my query as below and then I can see the results. Any suggestion what is going wrong ?
Ideally the result set for timetaken > 8.000 and timetaken > 10.000 should have been identical.
matw
April 20, 2020, 8:17am
2
Hi
Are you sure that timetaken is a numeric data type? It looks like it's a textual type which could explain this behavior.
Best,
i have changed the grok patter to match timetaken as below :
%{NUMBER:timetaken:float}
Any further suggestions ???
matw
April 23, 2020, 5:25am
4
Yes, could you please post a screenshot that contains timetaken in the field list on the left , I'm interested which icon is displayed.
vikramaddagulla:
timetaken as
Hope this is what you are looking for...
matw
April 24, 2020, 7:47am
6
Thank, this looks like this isn't a numeric field, it's a text field, and that's why it doesn't work.
Could you export the mapping of an index that contains this field? You can do this in our Dev Tools Console applicationhttps://www.elastic.co/guide/en/elasticsearch/reference/current/indices-get-mapping.html
Of interest would be the mapping of timetaken
Also you could have a look management's index pattern, where you can configure the formatting of the fields.
Best,
Hello
Yes. It indeed looks like text field.
I have checked this from the Index Management screen --> IndexName and checked the below in the mapping :
"timetaken": {
Probably when the index was created first, it would have taken up the text type.
--> I have now modified the logstash grok as below :
--> I have checked the format field in the index pattern and I cannot see option of changing it back to int or float.
lusynda
April 24, 2020, 8:16am
8
Well you need to change mapping of the index and not the grok in logstash.
1 Like
Thank you...
reindex your old index to a new one ====> Does it mean we cannot change the type in the existing index ?
Can we not re-index the data instead of creating new index ?
matw
May 14, 2020, 5:52am
10
You cannot change the type in an existing index, you need to reindex it, and that means creating a new index
https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html
Best,
Thank you.
This topic can be closed.
I deleted and re-created the index. At the time of initial creation, i passed the data type in the grok pattern like below :
%{NUMBER:timetaken:float}
Then it started picking up the data in the new format.
1 Like
