Mapping

Elitlogik · November 17, 2020, 12:23pm

Logstash creates datestamped indexes, syslog-2020.11.17 etc, so I have an index for each day.

I use kv filter to parse data.

The syslog source sends different parameters depending on event type, so the index pattern Fields grow as time goes on, currently 312 Fields (one Field and one Field.keyword).

Therefore, after a while, I'd like to change the type of a Field from i.e. String to Number, to enable sums and average aggregates.

But it seems overly complicated to do so...

For what I've found, reindex is the only solution: https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html

I don't mind stopping logging or deleting indexes, I just want the index pattern to use a Field type.

Can I download the Index Pattern JSON, change the types, and upload it?

Please help me out... Thank you for your support!

warkolm · November 17, 2020, 10:40pm

Kind of. You can download it, optimise it and then upload it as an index template. This means that future indices will use that mapping.

For existing indices, if you want this to apply you will need to reindex.

Elitlogik · November 18, 2020, 9:36am

Thank you very much! Works perfectly with index template.

system · December 16, 2020, 9:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to change the field types of a index pattern? Kibana	2	809	September 12, 2023
How can I change fields type on elasticsearch without stop my services? Elasticsearch	4	701	January 14, 2017
Change the type of a field Elasticsearch	2	750	February 14, 2017
Simple way to reindex a field type? Elasticsearch	4	562	August 28, 2017
Change the type in index from String to Date Elasticsearch	4	2617	May 9, 2019

Mapping

Related topics