New Template vs Mutate vs Convert

Hello,
I just installed this (Elastic-6 with included Logstash and Kibana) and I've been playing around with data from my DHCP server.

I'm able to send a csv (powershell created) using filebeat and parsing with logstash csv filter with no problems... I also discovered the data defaults to strings... using csv convert fixed that and all is great!

Now comes the question:
I want to have one of the fields "ScopeID" be an actual IP and not a number. I do not see this as something convert can do. So searching this website and others, seems the answer is to create a new Template.. OK.. WHY?

What is the difference between a new template and doing the conversion with mutate or convert? I haven't found any info on why/when one needs to create a new template and not leverage mutate or convert.

Not asking how to do it .. I just want to understand the why.

Thanks.

The index mapping (which you could define in an index template) tells Elasticsearch how it should treat the data that you send it. You could send Elasticsearch a string that should be treated as a date, as an IP address, or simply as a string. The mapping is the way to tell Elasticsearch that. Think of it as Elasticsearch' data schema.

The mutate and convert transformations are something you do to a document before you send it to Elasticsearch for indexing. You are changing the source document from containing a string like for example "42" to containing a number like 42.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.