I am trying to change the default indexing pattern for logstash's netflow module. Currently fields netflow.dst_port and netflow.src_port are set to be string!
I have been changing the json files (netflow.json) in this directory:
/usr/share/logstash/modules/netflow
And then erasing all data from elasticsearch and restarting everything. However, Kibana still shows that the field is a string.
I am curious why you want to map them as integers? While port values are numbers, they are really a kind of identifier rather than a quantity. This means that you will likely never be doing math functions on them, but you will be doing aggregations all the time using terms queries. By setting the type of these fields to a string you maximize query performance. More info here...
Thank you Robert for the link. What I want to do is built a query that displays only the ports that are above 1024. I have tried using [1024 TO *] and >=1024 but I keep getting lower port numbers as well. Are term/string fields allowed to work for queries with range values?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.