Remapping Property Types

jitran · March 29, 2017, 1:09am

We're shipping logs to AWS Elasticsearch 5.1 using Fluentd. By default, most of our log properties are dynamically mapped to the string type. The Fluentd log collector does not let us define the mapping. It seems once the mapping has been created, it's not possible to change the type to an integer.

Here's our mapping:

{
  "logstash-2017.03.28": {
    "aliases": {},
    "mappings": {
      "fluentd": {
        "properties": {
          ...
          "code": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          ...
        }
      }
    },
    "settings": {
    ..
    }
  }
}

Trying to use PUT to remap a property:

PUT logstash-2017.03.28/_mapping/fluentd
{
  "properties": {
    "code": {
      "type": "integer"
    }
  }
}

Error:

{
  "error": {
    "root_cause": [
      {
        "type": "remote_transport_exception",
        "reason": "[CdG6KXq][x.x.x.x:9300][indices:admin/mapping/put]"
      }
    ],
    "type": "illegal_argument_exception",
    "reason": "mapper [code] of different type, current_type [text], merged_type [integer]"
  },
  "status": 400
}

With the Elasticsearch 2.x series it was possible to remap the property types. Is there a way to do this with ES 5.X ? Is there a way to configure ES to always set a particular property to a specific type?

Thanks

dadoonet · March 29, 2017, 5:30am

You need to change the mapping at index creation time. You can't change an existing field.
I'd suggest to add a template which does that.

Templates are merged at index creation time.

jitran · March 29, 2017, 5:52am

Thanks David.

The FluentD documentation suggests that too https://github.com/uken/fluent-plugin-elasticsearch#index-templates.

system · April 26, 2017, 5:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.