Reindex Change Field Type

With ECS-GA coming our way, it was advised that we have to start using index templates to standardize on the correct field names & types. To prepare for this, I've started the exercise to reindex my firewall logs:

  1. Create a new template (none were created before):

    PUT _template/fwlogs-temp1
    {
    "index_patterns" : ["fwlogs-*"],
    "mappings" : {
    "doc" : {
    "properties" : {
    ...
    "RepeatCount" : {
    "type" : "long"
    },
    ...
    }
    }
    }
    }

  2. I reindex from old to new:

    POST _reindex?pretty
    {
    "conflicts": "proceed",
    "source": {
    "index": "fwlogs-2019.02"
    },
    "dest": {
    "index": "fwlogs-2019.02-v1",
    "op_type": "create"
    }
    }

  3. When I check the new index (*-v1), the field "RepeatCount" is still in string type from the old index. I'm expecting to change to Integer/Long type. The template doesn't seem to supercede it.

Am I doing this correctly? Is there not a way to change field type during the reindex process?

Thanks
Rudy

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.