I am using ELK to parse my logs. I have created a number field duration in Logstash.
%{NUMBER:duration}
I want to find maximum duration. I am using metric in Kibana for the same. But duration field does not appear as a NUMBER field. Kibana shows it as a STRING. Kibana also shows duration as a string in Discover page. Duration is an integer varying from 0 to 177.
Please help me to understand why this is happening and how I can find maximum duration.
According to the docs, you should change your formula to %{NUMBER:duration:int} (or float) to store it as a number type.
By default all semantics are saved as strings. If you wish to convert a semantic’s data type, for example change a string to an integer then suffix it with the target data type. For example %{NUMBER:num:int} which converts the num semantic from a string to an integer. Currently the only supported conversions are int and float.
from Grok filter plugin | Logstash Reference [8.11] | Elastic
I made the changes and it worked. Thank you. 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.