Unable to change type string to int (logstash -> es)

Elastic Stack Elasticsearch
1

Hi,
Pretty new to ELK.

I've setup my logstash to parse the apache response time as number --> %{NUMBER:response_time}
(I also tried with INT)
I can see the value in my json, but as it is defined within ES as a "string" I cannot visualised it on a line chart.

ES mapping

"response_time": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},

Tried to manual map it, but it still remains as string (delete and recreated the index after changing the template) What am I doing wrong?

logstash_config

filter {
if "apache_access" in [tags] {
mutate {
convert => { "response_time" => "integer" }
}
grok {
# You'll need to customize the pattern for your log format.
match => { "message" => "%{HOSTNAME:servername}%{SPACE}%{COMBINEDAPACHELOG}%{SPACE}%{NUMBER:response_time}" }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
geoip {
source => "clientip"
}
}
output {
if "apache_access" in [tags] or "apache_error" in [tags] {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "apache-%{+YYYY.MM.dd}"
# document_type => "%{[@metadata][type]}"
}
} else if "postgres" in [tags] {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "postgres-%{+YYYY.MM.dd}"
}
}
}

my logstash_template

{
"template" : "logstash*",
"version" : 60002,
"settings" : {
"index.refresh_interval" : "5s"
},
"mappings" : {
"default" : {
"dynamic_templates" : [ {
"message_field" : {
"path_match" : "message",
"match_mapping_type" : "string",
"mapping" : {
"type" : "text",
"norms" : false
}
}
}, {
"string_fields" : {
"match" : "*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "text", "norms" : false,
"fields" : {
"keyword" : { "type": "keyword", "ignore_above": 256 }
}
}
}
} ],
"properties" : {
"@timestamp": { "type": "date"},
"@version": { "type": "keyword"},
"geoip" : {
"dynamic": true,
"properties" : {
"ip": { "type": "ip" },
"location" : { "type" : "geo_point" },
"latitude" : { "type" : "half_float" },
"longitude" : { "type" : "half_float" }
}
},
"response_time" : { "type": "integer" }
}
}
}
}

Loading logstash template

$ curl -H'Content-Type: application/json' -XPUT http://localhost:9200/_template/logstash_template?pretty -d @logstash_template.json
{
"acknowledged" : true
}

2

Found the trick, change my grok filter to

%{NUMBER:response_time} --> %{NUMBER:response_time:int}

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.