Mac address changed to mixed datatype in elastic

I am feeding data into ES index. The data has mac address. Elastic is mapping it to a mixed data type (part string part numeric). How to fix this issue. I am not able to use "term" option while querying. It wont fetch.
Capture11
i tried mapping it to keyword

Hi @meghananagaraja. Welcome!!

How are you mapping the field deviceId in the index?
How are you doing the Term query, using the keyword field and the full or partial MAC?

Thank you @RabBit_BR for your quick response. Here is the mapping i used while creating index

    mapping = {
        "mappings": {
            "properties": {
                "deviceId": {
                    "type": "text",
                    "fields": {
                        "keyword": {
                            "type": "keyword",
                            "ignore_above": 256
                        }
                    }
                },

I am querying from a python app

    if deviceId:
        search_body['query']['bool']['must'].append({
            "term": {"deviceId.keyword": deviceId}
        })

The above query is fetching results. But how do i prevent this incorrect dynamic mapping in the first place.

If you do not explicitly define the fields in the mapping, when a new unmapped property is indexed it will generate the field with type text and the keyword, this is the default behavior.

You can use another approach, you can use a dynamic template. A dynamic template allows you to define rules so that certain fields are automatically mapped according to specific patterns, such as the field name.

PUT /idx
{
  "mappings": {
    "dynamic_templates": [
      {
        "deviceId_as_keyword": {
          "match": "deviceId",
          "mapping": {
            "type": "keyword"
          }
        }
      }
    ]
  }
}
1 Like