I have 2 indexes created from 2 seperate templates. I am trying to unify some of the field names/schema.
I have 2 sets of data from 2 sources coming into logstash, I have used mutate and rename to change the name of a field from each source to the same name.
Data from both sources is just text and the templates have the types as text and keyword.
The data comes in, however I find that one of the data sources I can search on and filter on, the other brings up no data if i search or filter, even if in discover I click to filter on the field.
Hopefully this is the correct info, both are the same:
"mappings":{
"doc":{
"dynamic": false,
"date_detection": false,
"properties":{
"@timestamp":{
"type":"date"
The field in question:
"classification":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword"
}
Sorry what do you mean by compare for common fields?
Can you get the mappings for each index and look at the mapping for fields that you renamed so they have the same name across both indices? I am looking for the mapping that is present, not the index template.
Ive just pulled the mapping for each index and the field is not mapped in the other index. I deleted all of the indexs for both after making the change to the template. Wonder what i missed.
Thank you for your help, i retraced my steps and found the issue, a mistake i managed to replicate on both templates, resolved and deleted the indexs, pushed the data and its working as expected now.
Thanks for pointing me in the right direction.
Phil
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.