With ECS-GA coming our way, it was advised that we have to start using index templates to standardize on the correct field names & types. To prepare for this, I've started the exercise to reindex my firewall logs:
-
Create a new template (none were created before):
PUT _template/fwlogs-temp1
{
"index_patterns" : ["fwlogs-*"],
"mappings" : {
"doc" : {
"properties" : {
...
"RepeatCount" : {
"type" : "long"
},
...
}
}
}
} -
I reindex from old to new:
POST _reindex?pretty
{
"conflicts": "proceed",
"source": {
"index": "fwlogs-2019.02"
},
"dest": {
"index": "fwlogs-2019.02-v1",
"op_type": "create"
}
} -
When I check the new index (*-v1), the field "RepeatCount" is still in string type from the old index. I'm expecting to change to Integer/Long type. The template doesn't seem to supercede it.
Am I doing this correctly? Is there not a way to change field type during the reindex process?
Thanks
Rudy